AZL-72349

See a problem?
Import Source
https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-72349.json
JSON Data
https://api.test.osv.dev/v1/vulns/AZL-72349
Upstream
Published
2025-09-19T16:15:45Z
Modified
2026-04-01T05:22:34.140720Z
Summary
CVE-2025-39863 affecting package kernel 5.15.200.1-1
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: fix use-after-free when rescheduling brcmfbtcoexinfo work

The brcmfbtcoexdetach() only shuts down the btcoex timer, if the flag timeron is false. However, the brcmfbtcoextimerfunc(), which runs as timer handler, sets timeron to false. This creates critical race conditions:

1.If brcmfbtcoexdetach() is called while brcmfbtcoextimerfunc() is executing, it may observe timeron as false and skip the call to timershutdown_sync().

2.The brcmfbtcoextimerfunc() may then reschedule the brcmfbtcoexinfo worker after the cancelworksync() has been executed, resulting in use-after-free bugs.

The use-after-free bugs occur in two distinct scenarios, depending on the timing of when the brcmfbtcoexinfo struct is freed relative to the execution of its worker thread.

Scenario 1: Freed before the worker is scheduled

The brcmfbtcoexinfo is deallocated before the worker is scheduled. A race condition can occur when schedulework(&btlocal->work) is called after the target memory has been freed. The sequence of events is detailed below:

CPU0 | CPU1 brcmfbtcoexdetach | brcmfbtcoextimerfunc | btlocal->timeron = false; if (cfg->btcoex->timeron) | ... | cancelworksync(); | ... | kfree(cfg->btcoex); // FREE | | schedulework(&bt_local->work); // USE

Scenario 2: Freed after the worker is scheduled

The brcmfbtcoexinfo is freed after the worker has been scheduled but before or during its execution. In this case, statements within the brcmfbtcoexhandler() — such as the containerof macro and subsequent dereferences of the brcmfbtcoex_info object will cause a use-after-free access. The following timeline illustrates this scenario:

CPU0 | CPU1 brcmfbtcoexdetach | brcmfbtcoextimerfunc | btlocal->timeron = false; if (cfg->btcoex->timeron) | ... | cancelworksync(); | ... | schedulework(); // Reschedule | kfree(cfg->btcoex); // FREE | brcmfbtcoexhandler() // Worker /* | btci = container_of(....); // USE The kfree() above could | ... also occur at any point | btci-> // USE during the worker's execution| */ |

To resolve the race conditions, drop the conditional check and call timershutdownsync() directly. It can deactivate the timer reliably, regardless of its current state. Once stopped, the timer_on state is then set to false.

References

Affected packages

Azure Linux:2 / kernel

Package

Name
kernel
Purl
pkg:rpm/azure-linux/kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
5.15.200.1-1

Database specific

source 
"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-72349.json"