From afa08fbc69be6b48a456203592b16640969138e3 Mon Sep 17 00:00:00 2001 From: Flavio Ceolin Date: Fri, 7 Nov 2025 11:01:53 -0800 Subject: [PATCH 1/3] doc: security: Disclose CVE-2025-12890 Disclose information about published CVE. Signed-off-by: Flavio Ceolin --- doc/releases/release-notes-4.2.rst | 2 ++ doc/security/vulnerabilities.rst | 17 +++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/doc/releases/release-notes-4.2.rst b/doc/releases/release-notes-4.2.rst index b73d345acb01b..458e70d13255b 100644 --- a/doc/releases/release-notes-4.2.rst +++ b/doc/releases/release-notes-4.2.rst @@ -71,6 +71,8 @@ Security Vulnerability Related The following CVEs are addressed by this release: +* :cve:`2025-12890` `Bluetooth: peripheral: Invalid handling of malformed connection request + `_ * :cve:`2025-27809` `TLS clients may unwittingly skip server authentication `_ * :cve:`2025-27810` `Potential authentication bypass in TLS handshake diff --git a/doc/security/vulnerabilities.rst b/doc/security/vulnerabilities.rst index 21f25c28bcfe1..c482a2bbd8412 100644 --- a/doc/security/vulnerabilities.rst +++ b/doc/security/vulnerabilities.rst @@ -2022,3 +2022,20 @@ Under embargo until 2025-11-24 ----------------- Under embargo until 2025-12-13 + +:cve:`2025-12890` +----------------- + +Bluetooth: peripheral: Invalid handling of malformed connection request + +Improper handling of malformed Connection Request with the interval +set to be 1 (which supposed to be illegal) and the chM 0x7CFFFFFFFF +triggers a crash. The peripheral will not be connectable after it. + +- `Zephyr project bug tracker GHSA-8hrf-pfww-83v9 + `_ + +This has been fixed in main for v4.2.0 + +- `PR 89955 fix for main + `_ From 75295fcfdae93c7c3a75128d9dfe2b9410759c88 Mon Sep 17 00:00:00 2001 From: Flavio Ceolin Date: Fri, 7 Nov 2025 11:41:02 -0800 Subject: [PATCH 2/3] doc: vuln: Add CVE under embargo Add an entry to CVE-2025-12899. Signed-off-by: Flavio Ceolin --- doc/security/vulnerabilities.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/security/vulnerabilities.rst b/doc/security/vulnerabilities.rst index c482a2bbd8412..016fa40946d8d 100644 --- a/doc/security/vulnerabilities.rst +++ b/doc/security/vulnerabilities.rst @@ -2039,3 +2039,8 @@ This has been fixed in main for v4.2.0 - `PR 89955 fix for main `_ + +:cve:`2025-12899` +----------------- + +Under embargo until 2026-01-28 From cf9eedc3398d41388b5991dd6d38461d79a63321 Mon Sep 17 00:00:00 2001 From: Flavio Ceolin Date: Fri, 7 Nov 2025 11:43:04 -0800 Subject: [PATCH 3/3] doc: release/4.3: Add CVE under embargo Add information about CVE-2025-12899 under embargo. Signed-off-by: Flavio Ceolin --- doc/releases/release-notes-4.3.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/releases/release-notes-4.3.rst b/doc/releases/release-notes-4.3.rst index 15464fe9d37b9..fb880971264a8 100644 --- a/doc/releases/release-notes-4.3.rst +++ b/doc/releases/release-notes-4.3.rst @@ -87,6 +87,7 @@ The following CVEs are addressed by this release: * :cve:`2025-9557`: Under embargo until 2025-11-24 * :cve:`2025-9558`: Under embargo until 2025-11-24 * :cve:`2025-12035`: Under embargo until 2025-12-13 +* :cve:`2025-12899`: Under embargo until 2026-01-28 * :cve:`2025-59438` `Padding oracle through timing of cipher error reporting `_ * :cve:`2025-54764` `Side channel in RSA key generation and operations (SSBleed, M-Step)