oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-52435: Apache NimBLE: Invalid error handling in pause encryption procedure in NimBLE controller

From: Szymon Janc <janc () apache org>
Date: Thu, 08 Jan 2026 09:50:31 +0000
Severity: important 

Affected versions:

- Apache NimBLE through 1.8.0

Description:

J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE.

Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left 
in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange.
This issue affects Apache NimBLE: through <= 1.8.0.

Users are recommended to upgrade to version 1.9.0, which fixes the issue.

Credit:

Henrik Schnor <henrik.schnor () mailbox org> (reporter)

References:

https://github.com/apache/mynewt-nimble/commit/164f1c23c18a290908df76ed83fe848bfe4a4903
https://github.com/apache/mynewt-nimble/commit/ec3d75e909fa6dcadf1836fefc4432794a673d18
https://mynewt.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-52435
Previous By Date Next
Previous By Thread Next

Current thread: