A read past the end of the buffer and division by zero security issue in 
QLowEnergyController in the Qt Bluetooth module on Linux has been discovered 
and has been assigned the CVE id CVE-2025-23050.

Affected versions: From Qt 5.4.0 to 5.15.18, 6.0.0 to 6.5.8, and 6.6.0 to 6.8.1.

Impact: QLowEnergyController on Linux has a BlueZ DBus and a Bluetooth Kernel 
API backend. When using the Bluetooth Kernel API backend of 
QLowEnergyController, QtBluetooth creates a Bluetooth L2CAP socket to establish 
a connection with an external Bluetooth Low Energy device. After that, the 
external device can send malformed Bluetooth ATT commands to trigger read past 
the end of the buffer and division by zero errors. The problem is relevant for 
both central and peripheral roles.

For central role use cases the Bluetooth Kernel API backend is only used if the 
system's BlueZ runtime version is lower than 5.42.

For peripheral use cases, the Bluetooth Kernel API backend is used by default 
for all Qt versions before Qt 6.7. Deployments using Qt 6.7 or later trigger 
the backend if the Bluez version is below 5.56 or the explicit opt in via the 
env variable QT_BLUETOOTH_USE_KERNEL_PERIPHERAL was given.

In the central role the user has to explicitly connect to the attacking 
external device before the malformed commands are processed.

In the peripheral role, the advertising should be started with the 
QLowEnergyAdvertisingParameters::AdvInd mode to allow the external device to 
connect.

Solution: Apply the following patch or update to Qt 6.9.0 or 6.8.2 or 6.5.9 or 
5.15.19
Patches:
dev: https://codereview.qt-project.org/c/qt/qtconnectivity/+/614538 
Qt 6.9: https://codereview.qt-project.org/c/qt/qtconnectivity/+/616915/2
Qt 6.8: https://codereview.qt-project.org/c/qt/qtconnectivity/+/617004  or 
https://download.qt.io/official_releases/qt/6.8/CVE-2025-23050-qtconnectivity-6.8.diff
 
Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtconnectivity/+/617086 or 
https://download.qt.io/official_releases/qt/6.5/CVE-2025-23050-qtconnectivity-6.5.diff
 
Qt 5.15: https://codereview.qt-project.org/c/qt/tqtc-qtconnectivity/+/617371 or 
https://download.qt.io/official_releases/qt/5.15/CVE-2025-23050-qtconnectivity-5.15.diff

Regards,
Andy
--
Andy Shaw,
Director, Customer Services - SQS
The Qt Company

_______________________________________________
Announce mailing list
annou...@qt-project.org
https://lists.qt-project.org/listinfo/announce
-- 
Development mailing list
Development@qt-project.org
https://lists.qt-project.org/listinfo/development

Reply via email to