CVE-2025-40213
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-24

Last updated on: 2025-11-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-24
Last Modified
2025-11-25
Generated
2026-06-16
AI Q&A
2025-11-24
EPSS Evaluated
2026-06-14
NVD
CVE-2025-40213
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel's Bluetooth management involves crashes caused by improper handling of flexible arrays and list operations. Specifically, there is a stack-out-of-bounds error in the set_mesh_sync function due to memcpy being used on a badly declared on-stack flexible array. Additionally, set_mesh_complete can cause a crash due to a double removal from a list (double list_del) caused by improper management of pending commands. The fix involves correctly declaring the flexible array using DEFINE_FLEX, avoiding memcpy outside array bounds, and properly managing list removals and error reporting.

Impact Analysis

This vulnerability can cause crashes in the Linux kernel's Bluetooth subsystem, potentially leading to system instability or denial of service. If exploited or triggered, it could disrupt Bluetooth functionality or cause the system to become unresponsive or reboot unexpectedly.

Mitigation Strategies

Update the Linux kernel to a version where this vulnerability is fixed, as the issue involves a crash in Bluetooth MGMT due to improper handling of flexible arrays and list operations. Applying the patch that uses DEFINE_FLEX for flexible arrays and corrects list handling will mitigate the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40213. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart