CVE-2025-40284
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-40284, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-06

Last updated on: 2025-12-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in "Mesh - Send cancel - 1" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-06
Last Modified
2025-12-08
Generated
2026-07-06
AI Q&A
2025-12-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel's Bluetooth mesh management. Specifically, a timer called mesh_send_done is not canceled when the Bluetooth device (hdev) is removed. If the timer triggers after the device is gone, it causes a crash due to use-after-free errors. The fix involves canceling this timer when the device is removed to prevent such crashes.

Impact Analysis

This vulnerability can cause the Linux system to crash sporadically when the Bluetooth mesh send timer triggers after the Bluetooth device has been removed. This can lead to system instability or downtime, potentially affecting any services or applications relying on Bluetooth mesh functionality.

Detection Guidance

This vulnerability can be detected by monitoring system logs for crash messages related to Bluetooth mesh send timers, specifically looking for BUG reports such as 'KASAN: slab-use-after-free in run_timer_softirq'. You can check the kernel logs using commands like 'dmesg | grep -i kasan' or 'journalctl -k | grep -i kasan' to identify related use-after-free errors triggered by Bluetooth mesh operations.

Mitigation Strategies

Immediate mitigation involves updating the Linux kernel to a version where the Bluetooth MGMT mesh send timer is properly canceled when the hdev is removed. This fix prevents crashes caused by the timer triggering after device removal. Until an update is applied, avoid using Bluetooth mesh features that may trigger this timer to reduce the risk of system crashes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40284. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart