Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-38593

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
19/08/2025
Last modified:
20/08/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_sync: fix double free in &amp;#39;hci_discovery_filter_clear()&amp;#39;<br /> <br /> Function &amp;#39;hci_discovery_filter_clear()&amp;#39; frees &amp;#39;uuids&amp;#39; array and then<br /> sets it to NULL. There is a tiny chance of the following race:<br /> <br /> &amp;#39;hci_cmd_sync_work()&amp;#39;<br /> <br /> &amp;#39;update_passive_scan_sync()&amp;#39;<br /> <br /> &amp;#39;hci_update_passive_scan_sync()&amp;#39;<br /> <br /> &amp;#39;hci_discovery_filter_clear()&amp;#39;<br /> kfree(uuids);<br /> <br /> <br /> &amp;#39;start_service_discovery()&amp;#39;<br /> <br /> &amp;#39;hci_discovery_filter_clear()&amp;#39;<br /> kfree(uuids); // DOUBLE FREE<br /> <br /> <br /> <br /> uuids = NULL;<br /> <br /> To fix it let&amp;#39;s add locking around &amp;#39;kfree()&amp;#39; call and NULL pointer<br /> assignment. Otherwise the following backtrace fires:<br /> <br /> [ ] ------------[ cut here ]------------<br /> [ ] kernel BUG at mm/slub.c:547!<br /> [ ] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP<br /> [ ] CPU: 3 UID: 0 PID: 246 Comm: bluetoothd Tainted: G O 6.12.19-kernel #1<br /> [ ] Tainted: [O]=OOT_MODULE<br /> [ ] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ ] pc : __slab_free+0xf8/0x348<br /> [ ] lr : __slab_free+0x48/0x348<br /> ...<br /> [ ] Call trace:<br /> [ ] __slab_free+0xf8/0x348<br /> [ ] kfree+0x164/0x27c<br /> [ ] start_service_discovery+0x1d0/0x2c0<br /> [ ] hci_sock_sendmsg+0x518/0x924<br /> [ ] __sock_sendmsg+0x54/0x60<br /> [ ] sock_write_iter+0x98/0xf8<br /> [ ] do_iter_readv_writev+0xe4/0x1c8<br /> [ ] vfs_writev+0x128/0x2b0<br /> [ ] do_writev+0xfc/0x118<br /> [ ] __arm64_sys_writev+0x20/0x2c<br /> [ ] invoke_syscall+0x68/0xf0<br /> [ ] el0_svc_common.constprop.0+0x40/0xe0<br /> [ ] do_el0_svc+0x1c/0x28<br /> [ ] el0_svc+0x30/0xd0<br /> [ ] el0t_64_sync_handler+0x100/0x12c<br /> [ ] el0t_64_sync+0x194/0x198<br /> [ ] Code: 8b0002e6 eb17031f 54fffbe1 d503201f (d4210000)<br /> [ ] ---[ end trace 0000000000000000 ]---

Impact

References to Advisories, Solutions, and Tools