CVE-2025-40318

medium

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and "UAF". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.

References

https://git.kernel.org/stable/c/ae76cf6c2c842944c6514c57df54d728f1916553

https://git.kernel.org/stable/c/9cd536970192b72257afcdfba0bfc09993e6f19c

https://git.kernel.org/stable/c/932c0a4f77ac13e526fdd5b42914d29c9821d389

https://git.kernel.org/stable/c/0a94f7e017438935c09ef833a1aa908ad9875213

https://git.kernel.org/stable/c/09b0cd1297b4dbfe736aeaa0ceeab2265f47f772

Details

Source: Mitre, NVD

Published: 2025-12-08

Updated: 2025-12-08

Risk Information

CVSS v2

Base Score: 6.3

Vector: CVSS2#AV:L/AC:M/Au:N/C:N/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 6.3

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Severity: Medium

EPSS

EPSS: 0.00018