Bluetooth: l2cap: Check encryption key size on incoming connection
Summary
| CVE | CVE-2025-39889 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-09-24 11:15:32 UTC |
| Updated | 2026-04-02 09:16:19 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: Check encryption key size on incoming connection This is required for passing GAP/SEC/SEM/BI-04-C PTS test case: Security Mode 4 Level 4, Responder - Invalid Encryption Key Size - 128 bit This tests the security key with size from 1 to 15 bytes while the Security Mode 4 Level 4 requests 16 bytes key size. Currently PTS fails with the following logs: - expected:Connection Response: Code: [3 (0x03)] Code Identifier: (lt)WildCard: Exists(gt) Length: [8 (0x0008)] Destination CID: (lt)WildCard: Exists(gt) Source CID: [64 (0x0040)] Result: [3 (0x0003)] Connection refused - Security block Status: (lt)WildCard: Exists(gt), but received:Connection Response: Code: [3 (0x03)] Code Identifier: [1 (0x01)] Length: [8 (0x0008)] Destination CID: [64 (0x0040)] Source CID: [64 (0x0040)] Result: [0 (0x0000)] Connection Successful Status: [0 (0x0000)] No further information available And HCI logs: < HCI Command: Read Encrypti.. (0x05|0x0008) plen 2 Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.) > HCI Event: Command Complete (0x0e) plen 7 Read Encryption Key Size (0x05|0x0008) ncmd 1 Status: Success (0x00) Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.) Key size: 7 > ACL Data RX: Handle 14 flags 0x02 dlen 12 L2CAP: Connection Request (0x02) ident 1 len 4 PSM: 4097 (0x1001) Source CID: 64 < ACL Data TX: Handle 14 flags 0x00 dlen 16 L2CAP: Connection Response (0x03) ident 1 len 8 Destination CID: 64 Source CID: 64 Result: Connection successful (0x0000) Status: No further information available (0x0000) |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Problem Types: CWE-326 | CWE-326 CWE-326 Inadequate Encryption Strength
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | ADP | DECLARED | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | Secondary | 8.1 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | DECLARED | 8.1 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 4f911a538e089cce808a15dc3277250f4f8daef9 ed503d340a501e414114ddc614a3aae4f6e9eae2 git | Not specified |
| CNA | Linux | Linux | affected 288c06973daae4637f25a0d1bdaf65fdbf8455f9 24b2cdfc16e9bd6ab3d03b8e01c590755bd3141f git | Not specified |
| CNA | Linux | Linux | affected 288c06973daae4637f25a0d1bdaf65fdbf8455f9 c6d527bbd3d3896375079f5dbc8b7f96734a3ba5 git | Not specified |
| CNA | Linux | Linux | affected 288c06973daae4637f25a0d1bdaf65fdbf8455f9 9e3114958d87ea88383cbbf38c89e04b8ea1bce5 git | Not specified |
| CNA | Linux | Linux | affected 288c06973daae4637f25a0d1bdaf65fdbf8455f9 d49798ecd26e0ee7995a7fc1e90ca5cd9b4402d6 git | Not specified |
| CNA | Linux | Linux | affected 288c06973daae4637f25a0d1bdaf65fdbf8455f9 d4ca2fd218caafbf50e3343ba1260c6a23b5676a git | Not specified |
| CNA | Linux | Linux | affected 288c06973daae4637f25a0d1bdaf65fdbf8455f9 522e9ed157e3c21b4dd623c79967f72c21e45b78 git | Not specified |
| CNA | Linux | Linux | affected 5.11 | Not specified |
| CNA | Linux | Linux | unaffected 5.11 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.181 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.135 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.88 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.25 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.14.4 6.14.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.15 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/9e3114958d87ea88383cbbf38c89e04b8ea1bce5 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/c6d527bbd3d3896375079f5dbc8b7f96734a3ba5 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/d49798ecd26e0ee7995a7fc1e90ca5cd9b4402d6 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/522e9ed157e3c21b4dd623c79967f72c21e45b78 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/ed503d340a501e414114ddc614a3aae4f6e9eae2 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/d4ca2fd218caafbf50e3343ba1260c6a23b5676a | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/24b2cdfc16e9bd6ab3d03b8e01c590755bd3141f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.