Skip to content

Backport: fix(bt/bluedroid): fixed potential OOB in AVRCP vendor command composition [CVE-2025-68474]#117

Merged
floitsch merged 1 commit into
toitware:patch-head-5.4.2from
dkgkdfg65:port-credit/backport/cve-2025-68474-patch-head-5.4.2
May 17, 2026
Merged

Backport: fix(bt/bluedroid): fixed potential OOB in AVRCP vendor command composition [CVE-2025-68474]#117
floitsch merged 1 commit into
toitware:patch-head-5.4.2from
dkgkdfg65:port-credit/backport/cve-2025-68474-patch-head-5.4.2

Conversation

@dkgkdfg65

Copy link
Copy Markdown

backports espressif/esp-idf 0b0b59f (release/v5.3, 2025-10-09) for CVE-2025-68474 — replaces an assert-based bounds check (compiled out in release builds) with a runtime guard that returns NULL when the buffer can't hold the vendor command. adds AVRC_MIN_VENDOR_CMD_LEN define and NULL-check on p_msg.

upstream commit: espressif@0b0b59f2e19c
CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-68474

diff: components/bt/host/bluedroid/stack/avrc/avrc_opt.c | +17 -6

haven't run the full esp-idf test suite locally.

…and composition

Backport of upstream espressif/esp-idf commit 0b0b59f to fix CVE-2025-68474.

(cherry picked from commit 0b0b59f)

This commit is a verbatim cherry-pick from espressif/esp-idf using:
  git cherry-pick -x 0b0b59f

Cherry-picked from commit 0b0b59f.

Signed-off-by: dkgkdfg65 <219107372+dkgkdfg65@users.noreply.github.com>

@floitsch floitsch left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
Thanks.

@floitsch floitsch merged commit 40fd701 into toitware:patch-head-5.4.2 May 17, 2026
1 check passed
@dkgkdfg65

Copy link
Copy Markdown
Author

thanks. fyi there's an openvehicles/esp-idf PR for the same CVE at openvehicles#8 — they're on the 2019-era esp-idf tree so the file path is different (components/bt/bluedroid/... instead of bt/host/bluedroid/...), git's rename-detection handled the cherry-pick. mentioning in case useful for cross-fork advisory tracking down the road.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants