CVE-2025-39860
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
19/09/2025
Last modified:
20/01/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()<br />
<br />
syzbot reported the splat below without a repro.<br />
<br />
In the splat, a single thread calling bt_accept_dequeue() freed sk<br />
and touched it after that.<br />
<br />
The root cause would be the racy l2cap_sock_cleanup_listen() call<br />
added by the cited commit.<br />
<br />
bt_accept_dequeue() is called under lock_sock() except for<br />
l2cap_sock_release().<br />
<br />
Two threads could see the same socket during the list iteration<br />
in bt_accept_dequeue():<br />
<br />
CPU1 CPU2 (close())<br />
---- ----<br />
sock_hold(sk) sock_hold(sk);<br />
lock_sock(sk)
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.14.322 (including) | 4.15 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.19.291 (including) | 4.20 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4.253 (including) | 5.4.299 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.190 (including) | 5.10.243 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.126 (including) | 5.15.192 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.45 (including) | 6.1.151 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.4.10 (including) | 6.6.105 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.46 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.16.6 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.17:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2ca99fc3512a8074de20ee52a87b492dfcc41a4d
- https://git.kernel.org/stable/c/306b0991413b482dbf5585b423022123bb505966
- https://git.kernel.org/stable/c/3dff390f55ccd9ce12e91233849769b5312180c2
- https://git.kernel.org/stable/c/47f6090bcf75c369695d21c3f179db8a56bbbd49
- https://git.kernel.org/stable/c/6077d16b5c0f65d571eee709de2f0541fb5ef0ca
- https://git.kernel.org/stable/c/83e1d9892ef51785cf0760b7681436760dda435a
- https://git.kernel.org/stable/c/862c628108562d8c7a516a900034823b381d3cba
- https://git.kernel.org/stable/c/964cbb198f9c46c2b2358cd1faffc04c1e8248cf
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html