Subnavigation

Security advisory: A read past the end of the buffer and division by zero security issue in QLowEnergyController on Linux impacts Qt

January 21, 2025 by Tuukka Kettunen | Comments

A read past the end of the buffer and division by zero security issue in QLowEnergyController in the Qt Bluetooth module on Linux has been discovered and has been assigned the CVE id CVE-2025-23050.

Affected versions: From Qt 5.4.0 to 5.15.18, 6.0.0 to 6.5.8, and 6.6.0 to 6.8.1.

Impact: QLowEnergyController on Linux has a BlueZ DBus and a Bluetooth Kernel API backend. When using the Bluetooth Kernel API backend of QLowEnergyController, QtBluetooth creates a Bluetooth L2CAP socket to establish a connection with an external Bluetooth Low Energy device. After that, the external device can send malformed Bluetooth ATT commands to trigger read past the end of the buffer and division by zero errors. The problem is relevant for both central and peripheral roles.

For central role use cases the Bluetooth Kernel API backend is only used if the system's BlueZ runtime version is lower than 5.42.

For peripheral use cases, the Bluetooth Kernel API backend is used by default for all Qt versions before Qt 6.7. Deployments using Qt 6.7 or later trigger the backend if the Bluez version is below 5.56 or the explicit opt in via the env variable QT_BLUETOOTH_USE_KERNEL_PERIPHERAL was given.

In the central role the user has to explicitly connect to the attacking external device before the malformed commands are processed.

In the peripheral role, the advertising should be started with the QLowEnergyAdvertisingParameters::AdvInd mode to allow the external device to connect.

Solution: Apply the following patch or update to Qt 6.9.0 or 6.8.2 or 6.5.9 or 5.15.19

Patches:

dev: https://codereview.qt-project.org/c/qt/qtconnectivity/+/614538
Qt 6.9: https://codereview.qt-project.org/c/qt/qtconnectivity/+/616915/2
Qt 6.8: https://codereview.qt-project.org/c/qt/qtconnectivity/+/617004 or https://download.qt.io/official_releases/qt/6.8/CVE-2025-23050-qtconnectivity-6.8.diff
Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtconnectivity/+/617086 or https://download.qt.io/official_releases/qt/6.5/CVE-2025-23050-qtconnectivity-6.5.diff
Qt 5.15: https://codereview.qt-project.org/c/qt/tqtc-qtconnectivity/+/617371 or https://download.qt.io/official_releases/qt/5.15/CVE-2025-23050-qtconnectivity-5.15.diff

Blog Topics:

Comments

Commenting for this post has ended.

Subscribe to our newsletter

Subscribe Newsletter

By submitting the form, you agree that Qt Group will process and store your personal information according to the Privacy Policy and may send you communications related to your request. You may unsubscribe from all communications at any time by clicking Unsubscribe or Manage Preferences in the footer of our emails.

Try Qt 6.9 Now!

Download the latest release here: www.qt.io/download.

Qt 6.9 is now available, with new features and improvements for application developers and device creators.

We're Hiring

Check out all our open positions here and follow us on Instagram to see what it's like to be #QtPeople.

Read Next

Apr 11, 2025

Security advisory: A Heap-buffer-overflow issue in QTextMarkdownImporter impacts Qt

A Heap-buffer-overflow issue in QTextMarkdownImporter has been discovered..

Read Article

Apr 9, 2025

Qt Group Authorized as a CVE Numbering Authority (CNA) by the CVE Program

Qt Group has been authorized by the Common Vulnerabilities and Exposures..

Read Article

Apr 7, 2025

Security advisory: A Denial-of-Service type of security issue in Qt XML module impacts Qt

A Denial-of-Service type of security issue in QDom classes of Qt XML..

Read Article