CVE-2025-40318
BaseFortify
Publication date: 2025-12-08
Last updated on: 2025-12-08
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a race condition in the Linux kernel's Bluetooth subsystem. Specifically, the function hci_cmd_sync_dequeue_once() performs a lookup and cancellation of an entry under two separate lock sections. Meanwhile, another function, hci_cmd_sync_work(), can delete the same entry concurrently. This can lead to a double deletion of the list entry, causing a use-after-free (UAF) error. The fix involves holding a lock (cmd_sync_work_lock) across both lookup and cancel operations to prevent concurrent removal of the entry.
How can this vulnerability impact me? :
This vulnerability can lead to a use-after-free condition in the Bluetooth subsystem of the Linux kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if exploited.
What immediate steps should I take to mitigate this vulnerability?
Apply the patch that fixes the race condition in the Linux kernel Bluetooth component by ensuring the cmd_sync_work_lock is held across both lookup and cancel operations in hci_cmd_sync_dequeue_once. This prevents double deletion and use-after-free errors. Until patched, consider disabling Bluetooth functionality if possible to mitigate risk.