CVE-2025-40318
Published: December 9, 2025Last modified: December 9, 2025
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and "UAF". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | linux-lts | Fixed (6.1.159-r0) |
| 25 LTS | linux-lts | Fixed (6.12.58-r0) | |
| Stream | linux-lts | Fixed (6.12.58-r0) |
References
- https://git.kernel.org/stable/c/09b0cd1297b4dbfe736aeaa0ceeab2265f47f772
- https://git.kernel.org/stable/c/0a94f7e017438935c09ef833a1aa908ad9875213
- https://git.kernel.org/stable/c/932c0a4f77ac13e526fdd5b42914d29c9821d389
- https://git.kernel.org/stable/c/9cd536970192b72257afcdfba0bfc09993e6f19c
- https://git.kernel.org/stable/c/ae76cf6c2c842944c6514c57df54d728f1916553