SB2026010844 - Multiple vulnerabilities in Apache NimBLE

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2025-53470)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the HCI H4 driver. A local user can send a specially crafted HCI event to trigger an out-of-bounds read error and read contents of memory on the system.

2) NULL pointer dereference (CVE-ID: CVE-2025-53477)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Note, successful exploitation of the vulnerability requires disabled asserts and broken or bogus Bluetooth controller.

3) Authentication Bypass by Spoofing (CVE-ID: CVE-2025-62235)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect handling of SMP Security Request. A remote attacker can hijack an existing session subsequently disconnecting the legitimate user.

4) Cleartext transmission of sensitive information (CVE-ID: CVE-2025-52435)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper handling of Pause Encryption procedure on Link Layer, which results in a previously encrypted connection being left in un-encrypted state. A remote attacker with ability to intercept network traffic can gain access to sensitive data.

Remediation

Install update from vendor's website.

References

• https://lists.apache.org/thread/ddvrpr6rxp8osrztbtnxd6ch8116fmxz
• https://lists.apache.org/thread/by9ktm3zqo2jpz4j39x8fzdr0njnyqgf
• https://lists.apache.org/thread/dgfhzt53sj7j2prwgptw6b2429p2t1ob
• https://lists.apache.org/thread/k7qllrn366rrqzb5dr2pnhfml0wyqt16