CVE-2025-22102: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-22102 is a vulnerability discovered in the Linux kernel's Bluetooth btnxpuart driver, disclosed on April 16, 2025. The vulnerability affects the firmware release process during simultaneous WLAN and BT firmware download operations (NVD, Red Hat).

The vulnerability occurs during a stress test scenario where WLAN and BT firmware download happens simultaneously. Due to a hardware bug, the chip sends only one bootloader signature instead of consecutive signatures. When the driver receives the bootloader signature, it enters firmware download mode, but without subsequent signatures, the firmware file is not requested. After a 60-second timeout, the release_firmware operation triggers a kernel panic (Red Hat). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability results in a kernel panic, leading to system instability and potential denial of service. The impact is primarily focused on system availability, with no direct effect on confidentiality or integrity (Red Hat).

The vulnerability has been resolved in the Linux kernel through a patch that fixes the kernel panic issue during firmware release. Several Linux distributions have addressed this in their updates, with some versions being marked as not affected due to the vulnerable code not being present (Debian).