CVE-2025-22102: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix kernel panic during FW release This fixes a kernel panic seen during release FW in a stress test scenario where WLAN and BT FW download occurs simultaneously, and due to a HW bug, chip sends out only 1 bootloader signatures. When driver receives the bootloader signature, it enters FW download mode, but since no consequtive bootloader signatures seen, FW file is not requested. After 60 seconds, when FW download times out, release_firmware causes a kernel panic. [ 2601.949184] Unable to handle kernel paging request at virtual address 0000312e6f006573 [ 2601.992076] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000111802000 [ 2601.992080] [0000312e6f006573] pgd=0000000000000000, p4d=0000000000000000 [ 2601.992087] Internal error: Oops: 0000000096000021 [#1] PREEMPT SMP [ 2601.992091] Modules linked in: algif_hash algif_skcipher af_alg btnxpuart(O) pciexxx(O) mlan(O) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce snd_soc_fsl_easrc snd_soc_fsl_asoc_card imx8_media_dev(C) snd_soc_fsl_micfil polyval_generic snd_soc_fsl_xcvr snd_soc_fsl_sai snd_soc_imx_audmux snd_soc_fsl_asrc snd_soc_imx_card snd_soc_imx_hdmi snd_soc_fsl_aud2htx snd_soc_fsl_utils imx_pcm_dma dw_hdmi_cec flexcan can_dev [ 2602.001825] CPU: 2 PID: 20060 Comm: hciconfig Tainted: G C O 6.6.23-lts-next-06236-gb586a521770e #1 [ 2602.010182] Hardware name: NXP i.MX8MPlus EVK board (DT) [ 2602.010185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2602.010191] pc : _raw_spin_lock+0x34/0x68 [ 2602.010201] lr : free_fw_priv+0x20/0xfc [ 2602.020561] sp : ffff800089363b30 [ 2602.020563] x29: ffff800089363b30 x28: ffff0000d0eb5880 x27: 0000000000000000 [ 2602.020570] x26: 0000000000000000 x25: ffff0000d728b330 x24: 0000000000000000 [ 2602.020577] x23: ffff0000dc856f38 [ 2602.033797] x22: ffff800089363b70 x21: ffff0000dc856000 [ 2602.033802] x20: ff00312e6f006573 x19: ffff0000d0d9ea80 x18: 0000000000000000 [ 2602.033809] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaad80dd480 [ 2602.083320] x14: 0000000000000000 x13: 00000000000001b9 x12: 0000000000000002 [ 2602.083326] x11: 0000000000000000 x10: 0000000000000a60 x9 : ffff800089363a30 [ 2602.083333] x8 : ffff0001793d75c0 x7 : ffff0000d6dbc400 x6 : 0000000000000000 [ 2602.083339] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000001 [ 2602.083346] x2 : 0000000000000000 x1 : 0000000000000001 x0 : ff00312e6f006573 [ 2602.083354] Call trace: [ 2602.083356] _raw_spin_lock+0x34/0x68 [ 2602.083364] release_firmware+0x48/0x6c [ 2602.083370] nxp_setup+0x3c4/0x540 [btnxpuart] [ 2602.083383] hci_dev_open_sync+0xf0/0xa34 [ 2602.083391] hci_dev_open+0xd8/0x178 [ 2602.083399] hci_sock_ioctl+0x3b0/0x590 [ 2602.083405] sock_do_ioctl+0x60/0x118 [ 2602.083413] sock_ioctl+0x2f4/0x374 [ 2602.091430] __arm64_sys_ioctl+0xac/0xf0 [ 2602.091437] invoke_syscall+0x48/0x110 [ 2602.091445] el0_svc_common.constprop.0+0xc0/0xe0 [ 2602.091452] do_el0_svc+0x1c/0x28 [ 2602.091457] el0_svc+0x40/0xe4 [ 2602.091465] el0t_64_sync_handler+0x120/0x12c [ 2602.091470] el0t_64_sync+0x190/0x194
AI Analysis
Technical Summary
CVE-2025-22102 is a vulnerability in the Linux kernel affecting the Bluetooth driver module btnxpuart. The flaw arises during the firmware release process when WLAN and Bluetooth firmware downloads occur simultaneously. Due to a hardware bug in the affected chip, only a single bootloader signature is sent instead of multiple consecutive signatures expected by the driver. When the driver receives this single bootloader signature, it enters firmware download mode but does not request the firmware file because no consecutive signatures follow. After a 60-second timeout waiting for the firmware download, the release_firmware function triggers a kernel panic, causing a denial of service. The kernel panic is evidenced by an internal error (Oops) related to a kernel paging request at an invalid virtual address, indicating a null pointer or invalid memory dereference during the release_firmware call. This vulnerability is specific to certain hardware platforms such as the NXP i.MX8MPlus EVK board and affects Linux kernel versions identified by the given commit hashes. The issue is triggered under stress test scenarios involving simultaneous WLAN and Bluetooth firmware downloads, exploiting a hardware limitation in bootloader signature transmission. While no remote code execution or privilege escalation is indicated, the kernel panic results in system instability and potential downtime. No CVSS score is assigned yet, and no known exploits in the wild have been reported as of the publication date April 16, 2025.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to embedded systems, IoT devices, and industrial equipment running affected Linux kernel versions on hardware platforms using the btnxpuart Bluetooth driver, such as NXP i.MX8MPlus-based devices. The kernel panic leads to system crashes and denial of service, which can disrupt critical operations in sectors relying on embedded Linux systems, including manufacturing, telecommunications, automotive, and healthcare. Systems performing simultaneous WLAN and Bluetooth firmware updates are particularly vulnerable, potentially causing unexpected downtime during maintenance or normal operation. While the vulnerability does not appear to allow code execution or data compromise, the loss of availability can impact service continuity, safety systems, and operational technology environments. European organizations with supply chains or products incorporating affected hardware and Linux kernel versions must consider the risk of operational disruption and plan for timely patching. The lack of known exploits reduces immediate threat but does not eliminate risk, especially in environments where firmware updates are frequent or automated.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address this issue as soon as they become available from trusted sources or Linux distributions. 2. Identify and inventory all devices running affected Linux kernel versions with the btnxpuart Bluetooth driver, especially those using NXP i.MX8MPlus or similar hardware. 3. Implement controlled firmware update procedures to avoid simultaneous WLAN and Bluetooth firmware downloads where possible, reducing the chance of triggering the bug. 4. Monitor system logs for kernel panics or Oops messages related to release_firmware or btnxpuart to detect potential triggering of the vulnerability. 5. For embedded and IoT devices, coordinate with hardware vendors and device manufacturers to obtain updated firmware or kernel versions that incorporate the fix. 6. Where patching is not immediately feasible, consider disabling Bluetooth functionality or the btnxpuart driver if Bluetooth is not critical, to mitigate risk. 7. Establish robust backup and recovery procedures to minimize downtime impact in case of kernel panics. 8. Engage with device and hardware vendors to confirm if their products are affected and request guidance or updates.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy
CVE-2025-22102: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix kernel panic during FW release This fixes a kernel panic seen during release FW in a stress test scenario where WLAN and BT FW download occurs simultaneously, and due to a HW bug, chip sends out only 1 bootloader signatures. When driver receives the bootloader signature, it enters FW download mode, but since no consequtive bootloader signatures seen, FW file is not requested. After 60 seconds, when FW download times out, release_firmware causes a kernel panic. [ 2601.949184] Unable to handle kernel paging request at virtual address 0000312e6f006573 [ 2601.992076] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000111802000 [ 2601.992080] [0000312e6f006573] pgd=0000000000000000, p4d=0000000000000000 [ 2601.992087] Internal error: Oops: 0000000096000021 [#1] PREEMPT SMP [ 2601.992091] Modules linked in: algif_hash algif_skcipher af_alg btnxpuart(O) pciexxx(O) mlan(O) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce snd_soc_fsl_easrc snd_soc_fsl_asoc_card imx8_media_dev(C) snd_soc_fsl_micfil polyval_generic snd_soc_fsl_xcvr snd_soc_fsl_sai snd_soc_imx_audmux snd_soc_fsl_asrc snd_soc_imx_card snd_soc_imx_hdmi snd_soc_fsl_aud2htx snd_soc_fsl_utils imx_pcm_dma dw_hdmi_cec flexcan can_dev [ 2602.001825] CPU: 2 PID: 20060 Comm: hciconfig Tainted: G C O 6.6.23-lts-next-06236-gb586a521770e #1 [ 2602.010182] Hardware name: NXP i.MX8MPlus EVK board (DT) [ 2602.010185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2602.010191] pc : _raw_spin_lock+0x34/0x68 [ 2602.010201] lr : free_fw_priv+0x20/0xfc [ 2602.020561] sp : ffff800089363b30 [ 2602.020563] x29: ffff800089363b30 x28: ffff0000d0eb5880 x27: 0000000000000000 [ 2602.020570] x26: 0000000000000000 x25: ffff0000d728b330 x24: 0000000000000000 [ 2602.020577] x23: ffff0000dc856f38 [ 2602.033797] x22: ffff800089363b70 x21: ffff0000dc856000 [ 2602.033802] x20: ff00312e6f006573 x19: ffff0000d0d9ea80 x18: 0000000000000000 [ 2602.033809] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaad80dd480 [ 2602.083320] x14: 0000000000000000 x13: 00000000000001b9 x12: 0000000000000002 [ 2602.083326] x11: 0000000000000000 x10: 0000000000000a60 x9 : ffff800089363a30 [ 2602.083333] x8 : ffff0001793d75c0 x7 : ffff0000d6dbc400 x6 : 0000000000000000 [ 2602.083339] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000001 [ 2602.083346] x2 : 0000000000000000 x1 : 0000000000000001 x0 : ff00312e6f006573 [ 2602.083354] Call trace: [ 2602.083356] _raw_spin_lock+0x34/0x68 [ 2602.083364] release_firmware+0x48/0x6c [ 2602.083370] nxp_setup+0x3c4/0x540 [btnxpuart] [ 2602.083383] hci_dev_open_sync+0xf0/0xa34 [ 2602.083391] hci_dev_open+0xd8/0x178 [ 2602.083399] hci_sock_ioctl+0x3b0/0x590 [ 2602.083405] sock_do_ioctl+0x60/0x118 [ 2602.083413] sock_ioctl+0x2f4/0x374 [ 2602.091430] __arm64_sys_ioctl+0xac/0xf0 [ 2602.091437] invoke_syscall+0x48/0x110 [ 2602.091445] el0_svc_common.constprop.0+0xc0/0xe0 [ 2602.091452] do_el0_svc+0x1c/0x28 [ 2602.091457] el0_svc+0x40/0xe4 [ 2602.091465] el0t_64_sync_handler+0x120/0x12c [ 2602.091470] el0t_64_sync+0x190/0x194
AI-Powered Analysis
Technical Analysis
CVE-2025-22102 is a vulnerability in the Linux kernel affecting the Bluetooth driver module btnxpuart. The flaw arises during the firmware release process when WLAN and Bluetooth firmware downloads occur simultaneously. Due to a hardware bug in the affected chip, only a single bootloader signature is sent instead of multiple consecutive signatures expected by the driver. When the driver receives this single bootloader signature, it enters firmware download mode but does not request the firmware file because no consecutive signatures follow. After a 60-second timeout waiting for the firmware download, the release_firmware function triggers a kernel panic, causing a denial of service. The kernel panic is evidenced by an internal error (Oops) related to a kernel paging request at an invalid virtual address, indicating a null pointer or invalid memory dereference during the release_firmware call. This vulnerability is specific to certain hardware platforms such as the NXP i.MX8MPlus EVK board and affects Linux kernel versions identified by the given commit hashes. The issue is triggered under stress test scenarios involving simultaneous WLAN and Bluetooth firmware downloads, exploiting a hardware limitation in bootloader signature transmission. While no remote code execution or privilege escalation is indicated, the kernel panic results in system instability and potential downtime. No CVSS score is assigned yet, and no known exploits in the wild have been reported as of the publication date April 16, 2025.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to embedded systems, IoT devices, and industrial equipment running affected Linux kernel versions on hardware platforms using the btnxpuart Bluetooth driver, such as NXP i.MX8MPlus-based devices. The kernel panic leads to system crashes and denial of service, which can disrupt critical operations in sectors relying on embedded Linux systems, including manufacturing, telecommunications, automotive, and healthcare. Systems performing simultaneous WLAN and Bluetooth firmware updates are particularly vulnerable, potentially causing unexpected downtime during maintenance or normal operation. While the vulnerability does not appear to allow code execution or data compromise, the loss of availability can impact service continuity, safety systems, and operational technology environments. European organizations with supply chains or products incorporating affected hardware and Linux kernel versions must consider the risk of operational disruption and plan for timely patching. The lack of known exploits reduces immediate threat but does not eliminate risk, especially in environments where firmware updates are frequent or automated.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address this issue as soon as they become available from trusted sources or Linux distributions. 2. Identify and inventory all devices running affected Linux kernel versions with the btnxpuart Bluetooth driver, especially those using NXP i.MX8MPlus or similar hardware. 3. Implement controlled firmware update procedures to avoid simultaneous WLAN and Bluetooth firmware downloads where possible, reducing the chance of triggering the bug. 4. Monitor system logs for kernel panics or Oops messages related to release_firmware or btnxpuart to detect potential triggering of the vulnerability. 5. For embedded and IoT devices, coordinate with hardware vendors and device manufacturers to obtain updated firmware or kernel versions that incorporate the fix. 6. Where patching is not immediately feasible, consider disabling Bluetooth functionality or the btnxpuart driver if Bluetooth is not critical, to mitigate risk. 7. Establish robust backup and recovery procedures to minimize downtime impact in case of kernel panics. 8. Engage with device and hardware vendors to confirm if their products are affected and request guidance or updates.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.819Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8124
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 9:13:38 PM
Last updated: 8/18/2025, 11:31:52 PM
Views: 16
Related Threats
CVE-2025-8895: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in cozmoslabs WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress
CriticalCVE-2025-7390: CWE-295 Improper Certificate Validation in Softing Industrial Automation GmbH OPC UA C++ SDK
CriticalCVE-2025-53505: Improper limitation of a pathname to a restricted directory ('Path Traversal') in Intermesh BV Group-Office
MediumCVE-2025-53504: Cross-site scripting (XSS) in Intermesh BV Group-Office
MediumCVE-2025-48355: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere in ProveSource LTD ProveSource Social Proof
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.