Bluetooth Encryption Key Size Vulnerability in Linux Kernel by Vencer Co., Ltd.
CVE-2025-39889

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 24 September 2025

What is CVE-2025-39889?

A vulnerability exists in the Bluetooth stack of the Linux kernel, where an improper check of the encryption key size allows connections with insufficient security. Specifically, the system fails to validate the key size on incoming connection requests, which should comply with Security Mode 4 Level 4 that mandates a 16-byte key size. This oversight may allow devices with weaker encryption to establish a connection, undermining the intended security requirements and potentially exposing sensitive data.

Affected Version(s)

Linux 288c06973daae4637f25a0d1bdaf65fdbf8455f9 < 24b2cdfc16e9bd6ab3d03b8e01c590755bd3141f

Linux 288c06973daae4637f25a0d1bdaf65fdbf8455f9

Linux 288c06973daae4637f25a0d1bdaf65fdbf8455f9 < 9e3114958d87ea88383cbbf38c89e04b8ea1bce5

References

https://git.kernel.org/stable/c/24b2cdfc16e9bd6ab3d03b8e0...

https://git.kernel.org/stable/c/c6d527bbd3d3896375079f5db...

https://git.kernel.org/stable/c/9e3114958d87ea88383cbbf38...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 24, 2025
Vulnerability Reserved
Apr 16, 2025

JSON