Vulnerability
The infotainment unit uses a Bluetooth Classic (BR/EDR) chipset that contains a flaw in how it processes low-level LMP control messages during wireless communication. Due to improper validation of these packets, the Bluetooth controller inside the infotainment system can be pushed into an invalid or unexpected state when it receives malformed or out-of-sequence control messages from a nearby device.
Impact
The vulnerability affects the stability and reliability of the vehicle’s infotainment system by allowing unauthenticated Bluetooth Classic traffic to interact with low-level protocol handling. Since the issue occurs at the LMP controller layer, malformed control messages can be processed before any pairing or authentication takes place. As a result, the infotainment unit may enter an unstable state, leading to crashes, denial-of-service conditions, or sudden reboots triggered by external, non-trusted Bluetooth devices. This behavior exposes the system to unauthenticated disruption through its Bluetooth Classic interface.
CVE ID
CVE-2025-63895
Vendor
JXL Infotainment
Product
JXL 9 Inch Car Android Double Din Player
CVSS Score:
Base Core: 5.9
CVSS Base Vector: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Disclosure Timeline
23-09-2025 -Reported to Vendor
20-11-2025 – CVE ID Reserved
11-12-2025 – CVE published
Credits
Shubham S. Thorat – Payatu Security Consulting Pvt. Ltd.
