Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-38117

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
03/07/2025
Last modified:
20/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: MGMT: Protect mgmt_pending list with its own lock<br /> <br /> This uses a mutex to protect from concurrent access of mgmt_pending<br /> list which can cause crashes like:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91<br /> Read of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318<br /> <br /> CPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025<br /> Call trace:<br /> show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)<br /> __dump_stack+0x30/0x40 lib/dump_stack.c:94<br /> dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120<br /> print_address_description+0xa8/0x254 mm/kasan/report.c:408<br /> print_report+0x68/0x84 mm/kasan/report.c:521<br /> kasan_report+0xb0/0x110 mm/kasan/report.c:634<br /> __asan_report_load2_noabort+0x20/0x2c mm/kasan/report_generic.c:379<br /> hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91<br /> mgmt_pending_find+0x7c/0x140 net/bluetooth/mgmt_util.c:223<br /> pending_find net/bluetooth/mgmt.c:947 [inline]<br /> remove_adv_monitor+0x44/0x1a4 net/bluetooth/mgmt.c:5445<br /> hci_mgmt_cmd+0x780/0xc00 net/bluetooth/hci_sock.c:1712<br /> hci_sock_sendmsg+0x544/0xbb0 net/bluetooth/hci_sock.c:1832<br /> sock_sendmsg_nosec net/socket.c:712 [inline]<br /> __sock_sendmsg net/socket.c:727 [inline]<br /> sock_write_iter+0x25c/0x378 net/socket.c:1131<br /> new_sync_write fs/read_write.c:591 [inline]<br /> vfs_write+0x62c/0x97c fs/read_write.c:684<br /> ksys_write+0x120/0x210 fs/read_write.c:736<br /> __do_sys_write fs/read_write.c:747 [inline]<br /> __se_sys_write fs/read_write.c:744 [inline]<br /> __arm64_sys_write+0x7c/0x90 fs/read_write.c:744<br /> __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]<br /> invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49<br /> el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132<br /> do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151<br /> el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767<br /> el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786<br /> el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600<br /> <br /> Allocated by task 7037:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x40/0x78 mm/kasan/common.c:68<br /> kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562<br /> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br /> __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394<br /> kasan_kmalloc include/linux/kasan.h:260 [inline]<br /> __do_kmalloc_node mm/slub.c:4327 [inline]<br /> __kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4339<br /> kmalloc_noprof include/linux/slab.h:909 [inline]<br /> sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2198<br /> sk_alloc+0x44/0x3ac net/core/sock.c:2254<br /> bt_sock_alloc+0x4c/0x300 net/bluetooth/af_bluetooth.c:148<br /> hci_sock_create+0xa8/0x194 net/bluetooth/hci_sock.c:2202<br /> bt_sock_create+0x14c/0x24c net/bluetooth/af_bluetooth.c:132<br /> __sock_create+0x43c/0x91c net/socket.c:1541<br /> sock_create net/socket.c:1599 [inline]<br /> __sys_socket_create net/socket.c:1636 [inline]<br /> __sys_socket+0xd4/0x1c0 net/socket.c:1683<br /> __do_sys_socket net/socket.c:1697 [inline]<br /> __se_sys_socket net/socket.c:1695 [inline]<br /> __arm64_sys_socket+0x7c/0x94 net/socket.c:1695<br /> __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]<br /> invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49<br /> el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132<br /> do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151<br /> el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767<br /> el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786<br /> el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600<br /> <br /> Freed by task 6607:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x40/0x78 mm/kasan/common.c:68<br /> kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576<br /> poison_slab_object mm/kasan/common.c:247 [inline]<br /> __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264<br /> kasan_slab_free include/linux/kasan.h:233 [inline<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.1 (including) 6.6.94 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.34 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.15.3 (excluding)
cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools