CVE-2025-38118
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38118
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38118.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38118
- Downstream
- Related
- Published
- 2025-07-03T08:35:25Z
- Modified
- 2025-10-18T03:45:42.390554Z
- Summary
- Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix UAF on mgmtremoveadvmonitorcomplete
This reworks MGMTOPREMOVEADVMONITOR to not use mgmtpendingadd to avoid crashes like bellow:
================================================================== BUG: KASAN: slab-use-after-free in mgmtremoveadvmonitorcomplete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341
CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: hci0 hcicmdsyncwork Call Trace: <TASK> dumpstacklvl+0x189/0x250 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:408 [inline] printreport+0xd2/0x2b0 mm/kasan/report.c:521 kasanreport+0x118/0x150 mm/kasan/report.c:634 mgmtremoveadvmonitorcomplete+0xe5/0x540 net/bluetooth/mgmt.c:5406 hcicmdsyncwork+0x261/0x3a0 net/bluetooth/hcisync.c:334 processonework kernel/workqueue.c:3238 [inline] processscheduledworks+0xade/0x17b0 kernel/workqueue.c:3321 workerthread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 retfromfork+0x3fc/0x770 arch/x86/kernel/process.c:148 retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK>
Allocated by task 5987: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:377 [inline] _kasankmalloc+0x93/0xb0 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] _kmalloccachenoprof+0x230/0x3d0 mm/slub.c:4358 kmallocnoprof include/linux/slab.h:905 [inline] kzallocnoprof include/linux/slab.h:1039 [inline] mgmtpendingnew+0x65/0x240 net/bluetooth/mgmtutil.c:252 mgmtpendingadd+0x34/0x120 net/bluetooth/mgmtutil.c:279 removeadvmonitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454 hcimgmtcmd+0x9c9/0xef0 net/bluetooth/hcisock.c:1719 hcisocksendmsg+0x6ca/0xef0 net/bluetooth/hcisock.c:1839 socksendmsgnosec net/socket.c:712 [inline] _socksendmsg+0x219/0x270 net/socket.c:727 sockwriteiter+0x258/0x330 net/socket.c:1131 newsyncwrite fs/readwrite.c:593 [inline] vfswrite+0x548/0xa90 fs/readwrite.c:686 ksyswrite+0x145/0x250 fs/readwrite.c:738 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xfa/0x3b0 arch/x86/entry/syscall64.c:94 entrySYSCALL64after_hwframe+0x77/0x7f
Freed by task 5989: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:68 kasansavefreeinfo+0x46/0x50 mm/kasan/generic.c:576 poisonslabobject mm/kasan/common.c:247 [inline] _kasanslabfree+0x62/0x70 mm/kasan/common.c:264 kasanslabfree include/linux/kasan.h:233 [inline] slabfreehook mm/slub.c:2380 [inline] slabfree mm/slub.c:4642 [inline] kfree+0x18e/0x440 mm/slub.c:4841 mgmtpendingforeach+0xc9/0x120 net/bluetooth/mgmtutil.c:242 mgmtindexremoved+0x10d/0x2f0 net/bluetooth/mgmt.c:9366 hcisockbind+0xbe9/0x1000 net/bluetooth/hcisock.c:1314 _sysbindsocket net/socket.c:1810 [inline] _sysbind+0x2c3/0x3e0 net/socket.c:1841 _dosysbind net/socket.c:1846 [inline] _sesysbind net/socket.c:1844 [inline] _x64sysbind+0x7a/0x90 net/socket.c:1844 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xfa/0x3b0 arch/x86/entry/syscall64.c:94 entrySYSCALL64after_hwframe+0x77/0x7f
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/32aa2fbe319f33b0318ec6f4fceb63879771a286
- https://git.kernel.org/stable/c/3c9aba9cbdf163e2654be9f82d43ff8a04273962
- https://git.kernel.org/stable/c/9df3e5e7f7e4653fd9802878cedc36defc5ef42d
- https://git.kernel.org/stable/c/9f66b6531c2b4e996bb61720ee94adb4b2e8d1be
- https://git.kernel.org/stable/c/e6ed54e86aae9e4f7286ce8d5c73780f91b48d1c
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced66bd095ab5d408af106808cce302406542f70f65Fixed3c9aba9cbdf163e2654be9f82d43ff8a04273962
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced66bd095ab5d408af106808cce302406542f70f65Fixed9f66b6531c2b4e996bb61720ee94adb4b2e8d1be
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced66bd095ab5d408af106808cce302406542f70f65Fixed9df3e5e7f7e4653fd9802878cedc36defc5ef42d
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced66bd095ab5d408af106808cce302406542f70f65Fixed32aa2fbe319f33b0318ec6f4fceb63879771a286
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced66bd095ab5d408af106808cce302406542f70f65Fixede6ed54e86aae9e4f7286ce8d5c73780f91b48d1c