CVE-2025-40318
Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
hci_cmd_sync_dequeue_once() does lookup and then cancel
the entry under two separate lock sections. Meanwhile,
hci_cmd_sync_work() can also delete the same entry,
leading to double list_del() and "UAF".
Fix this by holding cmd_sync_work_lock across both
lookup and cancel, so that the entry cannot be removed
concurrently.
Affected products
Linux · LinuxWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://git.kernel.org/stable/c/09b0cd1297b4dbfe736aeaa0ceeab2265f47f772https://git.kernel.org/stable/c/0a94f7e017438935c09ef833a1aa908ad9875213https://git.kernel.org/stable/c/932c0a4f77ac13e526fdd5b42914d29c9821d389https://git.kernel.org/stable/c/9cd536970192b72257afcdfba0bfc09993e6f19chttps://git.kernel.org/stable/c/ae76cf6c2c842944c6514c57df54d728f1916553