Skip to main content

JXL Car Infotainment CVE-2025-63895

HIGH
Improper Resource Shutdown or Release (CWE-404)
2025-12-10 cve@mitre.org
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Bluetooth LMP attack needs radio proximity so AV:A not AV:N; unauthenticated low-complexity link-layer packet (PR:N/AC:L); availability-only crash (A:H, C/I:N).

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 05, 2026 - 03:21 vuln.today
CVE Published
Dec 10, 2025 - 20:16 cve.org
HIGH 7.5

DescriptionCVE.org

An issue in the Bluetooth firmware of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to cause a Denial of Service (DoS) via sending a crafted Link Manager Protocol (LMP) packet.

AnalysisAI

Denial of service in the Bluetooth firmware of the JXL 9-inch Car Android Double Din Player (Android v12.0) lets an attacker within Bluetooth range crash the head unit by sending a malformed Link Manager Protocol (LMP) packet. The flaw sits in the low-level Bluetooth baseband/link layer, so no pairing or user interaction is needed to disrupt availability of the in-vehicle infotainment system. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.28%, 20th percentile), consistent with a niche automotive product rather than a mass-exploited target.

Technical ContextAI

The Link Manager Protocol (LMP) is the control-plane protocol of classic Bluetooth (BR/EDR) that runs between two devices' baseband controllers to negotiate connections, authentication, encryption, and link parameters before any higher-layer (L2CAP/RFCOMM) traffic. Because LMP is handled inside the Bluetooth controller firmware - below the operating system's Bluetooth stack - malformed LMP handling bugs are a recurring class in automotive and IoT SoCs. The CWE-404 (Improper Resource Shutdown or Release) classification indicates the firmware fails to properly free or reset resources when it receives a crafted/unexpected LMP packet, leading to resource exhaustion or an unrecoverable state that manifests as a crash. The CPE cpe:2.3:o:jxlindia:jxl_9_inch_car_android_double_din_player_firmware:12.0 identifies the affected component as the device firmware (operating-system-class CPE), specifically the Bluetooth firmware of this JXL Android 12.0 double-DIN head unit.

RemediationAI

No vendor-released patch identified at time of analysis - there is no JXL advisory or fixed firmware version in the provided data, so patching cannot be confirmed. As compensating controls, disable or turn off Bluetooth on the head unit when not actively in use to remove the attack surface entirely (trade-off: loses hands-free calling and audio streaming); set the device to non-discoverable/non-connectable mode to reduce, though not eliminate, exposure to crafted LMP packets from unpaired devices; and keep the head unit physically out of range of untrusted parties, recognizing the attacker must be within Bluetooth radio distance. Because the impact is only a crash/reboot with no persistence, power-cycling restores service. Monitor JXL India for a firmware update and consult the researcher writeup at https://github.com/thorat-shubham/JXL_Infotainment_CVE-2025-63895/blob/main/README.md for technical details.

Share

CVE-2025-63895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy