CVE-2025-40284
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-06

Last updated on: 2025-12-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in "Mesh - Send cancel - 1" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-06
Last Modified
2025-12-08
Generated
2026-06-16
AI Q&A
2025-12-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-40284
EUVD
EUVD-2025-201571
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel's Bluetooth mesh management. Specifically, a timer called mesh_send_done is not canceled when the Bluetooth device (hdev) is removed. If the timer triggers after the device is gone, it causes a crash due to use-after-free errors. The fix involves canceling this timer when the device is removed to prevent such crashes.

Impact Analysis

This vulnerability can cause the Linux system to crash sporadically when the Bluetooth mesh send timer triggers after the Bluetooth device has been removed. This can lead to system instability or downtime, potentially affecting any services or applications relying on Bluetooth mesh functionality.

Detection Guidance

This vulnerability can be detected by monitoring system logs for crash messages related to Bluetooth mesh send timers, specifically looking for BUG reports such as 'KASAN: slab-use-after-free in run_timer_softirq'. You can check the kernel logs using commands like 'dmesg | grep -i kasan' or 'journalctl -k | grep -i kasan' to identify related use-after-free errors triggered by Bluetooth mesh operations.

Mitigation Strategies

Immediate mitigation involves updating the Linux kernel to a version where the Bluetooth MGMT mesh send timer is properly canceled when the hdev is removed. This fix prevents crashes caused by the timer triggering after device removal. Until an update is applied, avoid using Bluetooth mesh features that may trigger this timer to reduce the risk of system crashes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40284. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart