A read past the end of the buffer and division by zero security issue in QLowEnergyController in the Qt Bluetooth module on Linux has been discovered and has been assigned the CVE id CVE-2025-23050.
Affected versions: From Qt 5.4.0 to 5.15.18, 6.0.0 to 6.5.8, and 6.6.0 to 6.8.1. Impact: QLowEnergyController on Linux has a BlueZ DBus and a Bluetooth Kernel API backend. When using the Bluetooth Kernel API backend of QLowEnergyController, QtBluetooth creates a Bluetooth L2CAP socket to establish a connection with an external Bluetooth Low Energy device. After that, the external device can send malformed Bluetooth ATT commands to trigger read past the end of the buffer and division by zero errors. The problem is relevant for both central and peripheral roles. For central role use cases the Bluetooth Kernel API backend is only used if the system's BlueZ runtime version is lower than 5.42. For peripheral use cases, the Bluetooth Kernel API backend is used by default for all Qt versions before Qt 6.7. Deployments using Qt 6.7 or later trigger the backend if the Bluez version is below 5.56 or the explicit opt in via the env variable QT_BLUETOOTH_USE_KERNEL_PERIPHERAL was given. In the central role the user has to explicitly connect to the attacking external device before the malformed commands are processed. In the peripheral role, the advertising should be started with the QLowEnergyAdvertisingParameters::AdvInd mode to allow the external device to connect. Solution: Apply the following patch or update to Qt 6.9.0 or 6.8.2 or 6.5.9 or 5.15.19 Patches: dev: https://codereview.qt-project.org/c/qt/qtconnectivity/+/614538 Qt 6.9: https://codereview.qt-project.org/c/qt/qtconnectivity/+/616915/2 Qt 6.8: https://codereview.qt-project.org/c/qt/qtconnectivity/+/617004 or https://download.qt.io/official_releases/qt/6.8/CVE-2025-23050-qtconnectivity-6.8.diff Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtconnectivity/+/617086 or https://download.qt.io/official_releases/qt/6.5/CVE-2025-23050-qtconnectivity-6.5.diff Qt 5.15: https://codereview.qt-project.org/c/qt/tqtc-qtconnectivity/+/617371 or https://download.qt.io/official_releases/qt/5.15/CVE-2025-23050-qtconnectivity-5.15.diff Regards, Andy -- Andy Shaw, Director, Customer Services - SQS The Qt Company _______________________________________________ Announce mailing list annou...@qt-project.org https://lists.qt-project.org/listinfo/announce -- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
