CVE-2025-53477

Description

NULL Pointer Dereference vulnerability in Apache Nimble. Missing validation of HCI connection complete or HCI command TX buffer could lead to NULL pointer dereference. This issue requires disabled asserts and broken or bogus Bluetooth controller and thus severity is considered low. This issue affects Apache NimBLE: through 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:apache:nimble:*:*:*:*:*:*:*:* - VULNERABLE

Apache NimBLE < 1.8.0

Apache NimBLE 1.0.0 - 1.8.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-53477 PoC - NULL Pointer Dereference in Apache NimBLE
// This PoC demonstrates the conditions required to trigger the vulnerability

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// Simulated HCI event structure
struct hci_ev_conn_complete {
    uint8_t event_code;
    uint8_t param_len;
    uint8_t status;
    uint16_t handle;
    uint8_t link_type;
    uint8_t enc_mode;
} __attribute__((packed));

// Vulnerable function - missing NULL validation
void nimble_hci_conn_complete_process(uint8_t *data, uint16_t len) {
    struct hci_ev_conn_complete *evt;
    
    // VULNERABILITY: Missing validation of data pointer
    // Should check if data is NULL before dereferencing
    evt = (struct hci_ev_conn_complete *)data;
    
    // VULNERABILITY: Missing validation of connection handle
    // Should verify handle is valid before use
    uint16_t handle = evt->handle;  // NULL pointer dereference here
    
    // Process connection (will crash if evt is NULL)
    printf("Processing connection handle: %d\n", handle);
}

// Trigger conditions:
// 1. Build with NDEBUG defined (disables asserts)
// 2. Use broken/bogus Bluetooth controller
// 3. Send malformed HCI event with NULL data pointer
int main() {
    printf("[*] CVE-2025-53477 PoC for Apache NimBLE NULL Pointer Dereference\n");
    printf("[*] Trigger conditions: disabled asserts + bogus BT controller\n");
    
    // Simulate triggering with NULL data
    uint8_t *malformed_data = NULL;
    
    printf("[*] Sending malformed HCI connection complete event...\n");
    nimble_hci_conn_complete_process(malformed_data, 0);
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-53477
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-53477
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-53477/
[4] VulDB https://vuldb.com/cve/CVE-2025-53477
[5] https://github.com/apache/mynewt-nimble/commit/0caf9baeb271ede85fcc5237ab87ddbf938600da
[6] https://github.com/apache/mynewt-nimble/commit/3160b8c4c7ff8db4e0f9badcdf7df684b151e077
[7] https://lists.apache.org/thread/1dxthc132hwm2tzvjblrtnschcsbw2vo
[8] http://www.openwall.com/lists/oss-security/2026/01/08/3

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-53477", "sourceIdentifier": "[email protected]", "published": "2026-01-10T10:15:50.660", "lastModified": "2026-01-14T17:38:58.047", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NULL Pointer Dereference vulnerability in Apache Nimble.\n\nMissing validation of HCI connection complete or HCI command TX buffer could lead to NULL pointer dereference.\nThis issue requires disabled asserts and broken or bogus Bluetooth controller and thus severity is considered low.\n\nThis issue affects Apache NimBLE: through 1.8.0.\n\nUsers are recommended to upgrade to version 1.9.0, which fixes the issue."}, {"lang": "es", "value": "Vulnerabilidad de desreferencia de puntero NULL en Apache NimBLE.\n\nLa falta de validación de la finalización de la conexión HCI o del búfer TX de comandos HCI podría conducir a una desreferencia de puntero NULL.\nEste problema requiere asserts deshabilitados y un controlador Bluetooth defectuoso o erróneo, y por lo tanto la gravedad se considera baja.\n\nEste problema afecta a Apache NimBLE: hasta la versión 1.8.0.\n\nSe recomienda a los usuarios actualizar a la versión 1.9.0, que corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:nimble:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.9.0", "matchCriteriaId": "DC033019-AA62-465E-AD0A-8018D8C89ED3"}]}]}], "references": [{"url": "https://github.com/apache/mynewt-nimble/commit/0caf9baeb271ede85fcc5237ab87ddbf938600da", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/apache/mynewt-nimble/commit/3160b8c4c7ff8db4e0f9badcdf7df684b151e077", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://lists.apache.org/thread/1dxthc132hwm2tzvjblrtnschcsbw2vo", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/08/3", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}