oss-security - CVE-2025-52435: Apache NimBLE: Invalid error handling in pause encryption procedure in NimBLE controller

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <8d46334b-72ff-5df4-3e2a-751f5e47d96e@apache.org>
Date: Thu, 08 Jan 2026 09:50:31 +0000
From: Szymon Janc <janc@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-52435: Apache NimBLE: Invalid error handling in pause
 encryption procedure in NimBLE controller 

Severity: important 

Affected versions:

- Apache NimBLE through 1.8.0

Description:

J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE.

Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange.
This issue affects Apache NimBLE: through <= 1.8.0.

Users are recommended to upgrade to version 1.9.0, which fixes the issue.

Credit:

Henrik Schnor <henrik.schnor@...lbox.org> (reporter)

References:

https://github.com/apache/mynewt-nimble/commit/164f1c23c18a290908df76ed83fe848bfe4a4903
https://github.com/apache/mynewt-nimble/commit/ec3d75e909fa6dcadf1836fefc4432794a673d18
https://mynewt.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-52435

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.