CVE-2025-39982
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-39982
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39982.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-39982
- Downstream
- Published
- 2025-10-15T07:56:02Z
- Modified
- 2025-10-18T08:05:49.779517Z
- Summary
- Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hcievent: Fix UAF in hciaclcreateconn_sync
This fixes the following UFA in hciaclcreateconnsync where a connection still pending is command submission (conn->state == BTOPEN) maybe freed, also since this also can happen with the likes of hcilecreateconn_sync fix it as well:
BUG: KASAN: slab-use-after-free in hciaclcreateconnsync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861 Write of size 2 at addr ffff88805ffcc038 by task kworker/u11:2/9541
CPU: 1 UID: 0 PID: 9541 Comm: kworker/u11:2 Not tainted 6.16.0-rc7 #3 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Workqueue: hci3 hcicmdsyncwork Call Trace: <TASK> dumpstacklvl+0x189/0x250 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0xca/0x230 mm/kasan/report.c:480 kasanreport+0x118/0x150 mm/kasan/report.c:593 hciaclcreateconnsync+0x5ef/0x790 net/bluetooth/hcisync.c:6861 hcicmdsyncwork+0x210/0x3a0 net/bluetooth/hcisync.c:332 processonework kernel/workqueue.c:3238 [inline] processscheduledworks+0xae1/0x17b0 kernel/workqueue.c:3321 workerthread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 retfromfork+0x3fc/0x770 arch/x86/kernel/process.c:148 retfromforkasm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry64.S:245 </TASK>
Allocated by task 123736: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:377 [inline] _kasankmalloc+0x93/0xb0 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] _kmalloccachenoprof+0x230/0x3d0 mm/slub.c:4359 kmallocnoprof include/linux/slab.h:905 [inline] kzallocnoprof include/linux/slab.h:1039 [inline] _hciconnadd+0x233/0x1b30 net/bluetooth/hciconn.c:939 hciconnaddunset net/bluetooth/hciconn.c:1051 [inline] hciconnectacl+0x16c/0x4e0 net/bluetooth/hciconn.c:1634 pairdevice+0x418/0xa70 net/bluetooth/mgmt.c:3556 hcimgmtcmd+0x9c9/0xef0 net/bluetooth/hcisock.c:1719 hcisocksendmsg+0x6ca/0xef0 net/bluetooth/hcisock.c:1839 socksendmsgnosec net/socket.c:712 [inline] _socksendmsg+0x219/0x270 net/socket.c:727 sockwriteiter+0x258/0x330 net/socket.c:1131 newsyncwrite fs/readwrite.c:593 [inline] vfswrite+0x54b/0xa90 fs/readwrite.c:686 ksyswrite+0x145/0x250 fs/readwrite.c:738 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xfa/0x3b0 arch/x86/entry/syscall64.c:94 entrySYSCALL64after_hwframe+0x77/0x7f
Freed by task 103680: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3e/0x80 mm/kasan/common.c:68 kasansavefreeinfo+0x46/0x50 mm/kasan/generic.c:576 poisonslabobject mm/kasan/common.c:247 [inline] _kasanslabfree+0x62/0x70 mm/kasan/common.c:264 kasanslabfree include/linux/kasan.h:233 [inline] slabfreehook mm/slub.c:2381 [inline] slabfree mm/slub.c:4643 [inline] kfree+0x18e/0x440 mm/slub.c:4842 devicerelease+0x9c/0x1c0 kobjectcleanup lib/kobject.c:689 [inline] kobjectrelease lib/kobject.c:720 [inline] krefput include/linux/kref.h:65 [inline] kobjectput+0x22b/0x480 lib/kobject.c:737 hciconncleanup net/bluetooth/hciconn.c:175 [inline] hciconndel+0x8ff/0xcb0 net/bluetooth/hciconn.c:1173 hciconncompleteevt+0x3c7/0x1040 net/bluetooth/hcievent.c:3199 hcieventfunc net/bluetooth/hcievent.c:7477 [inline] hcieventpacket+0x7e0/0x1200 net/bluetooth/hcievent.c:7531 hcirxwork+0x46a/0xe80 net/bluetooth/hcicore.c:4070 processonework kernel/workqueue.c:3238 [inline] processscheduledworks+0xae1/0x17b0 kernel/workqueue.c:3321 workerthread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 retfromfork+0x3fc/0x770 arch/x86/kernel/process.c:148 retfromfork_asm+0x1a/0x30 home/kwqcheii/sour ---truncated---
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/484c7d571a3d1b3fd298fa691b660438c4548a53
- https://git.kernel.org/stable/c/6243bda271a628c48875e3e473206e7f584892ce
- https://git.kernel.org/stable/c/9e622804d57e2d08f0271200606bd1270f75126f
- https://git.kernel.org/stable/c/a78fd4fc5694ecb3b97deb2ad9eaebd67b4d2b08
- https://git.kernel.org/stable/c/bcce99f613163a43de24674b717e7a6c135fc879
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedaef2aa4fa98e18ea5d9345bf777ee698c8598728Fixed6243bda271a628c48875e3e473206e7f584892ce
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedaef2aa4fa98e18ea5d9345bf777ee698c8598728Fixedbcce99f613163a43de24674b717e7a6c135fc879
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedaef2aa4fa98e18ea5d9345bf777ee698c8598728Fixed484c7d571a3d1b3fd298fa691b660438c4548a53
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedaef2aa4fa98e18ea5d9345bf777ee698c8598728Fixeda78fd4fc5694ecb3b97deb2ad9eaebd67b4d2b08
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedaef2aa4fa98e18ea5d9345bf777ee698c8598728Fixed9e622804d57e2d08f0271200606bd1270f75126f
Affected versions
v5.*
v6.*
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6243bda271a628c48875e3e473206e7f584892ce",
"deprecated": false,
"digest": {
"function_hash": "1489831242259486479756657229313262484",
"length": 2750.0
},
"signature_version": "v1",
"id": "CVE-2025-39982-09b44a84",
"signature_type": "Function",
"target": {
"file": "net/bluetooth/hci_event.c",
"function": "le_conn_complete_evt"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bcce99f613163a43de24674b717e7a6c135fc879",
"deprecated": false,
"digest": {
"function_hash": "99216044917196597658462618109945938256",
"length": 2536.0
},
"signature_version": "v1",
"id": "CVE-2025-39982-09c9fa46",
"signature_type": "Function",
"target": {
"file": "net/bluetooth/hci_event.c",
"function": "le_conn_complete_evt"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@484c7d571a3d1b3fd298fa691b660438c4548a53",
"deprecated": false,
"digest": {
"line_hashes": [
"280403115645764667719513206826054039291",
"267475748231182583480348773357658711628",
"270009001218317303828063815095080212599",
"200031170550845101985063151253147113801",
"115129249184519293861112301172657215633",
"144718870196078288827029374462674131598",
"40126379625903319882619860098288986945",
"185641683843692917020538990771294001438",
"6642918489746524156889008633579228685",
"58545316172939852987032598393626816123"
],
"threshold": 0.9
},
"signature_version": "v1",
"id": "CVE-2025-39982-1591a520",
"signature_type": "Line",
"target": {
"file": "net/bluetooth/hci_event.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a78fd4fc5694ecb3b97deb2ad9eaebd67b4d2b08",
"deprecated": false,
"digest": {
"function_hash": "99216044917196597658462618109945938256",
"length": 2536.0
},
"signature_version": "v1",
"id": "CVE-2025-39982-257277cd",
"signature_type": "Function",
"target": {
"file": "net/bluetooth/hci_event.c",
"function": "le_conn_complete_evt"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e622804d57e2d08f0271200606bd1270f75126f",
"deprecated": false,
"digest": {
"function_hash": "190207761695129447281748293400576781320",
"length": 2611.0
},
"signature_version": "v1",
"id": "CVE-2025-39982-2e424ccb",
"signature_type": "Function",
"target": {
"file": "net/bluetooth/hci_event.c",
"function": "hci_conn_complete_evt"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bcce99f613163a43de24674b717e7a6c135fc879",
"deprecated": false,
"digest": {
"line_hashes": [
"280403115645764667719513206826054039291",
"267475748231182583480348773357658711628",
"270009001218317303828063815095080212599",
"200031170550845101985063151253147113801",
"115129249184519293861112301172657215633",
"144718870196078288827029374462674131598",
"40126379625903319882619860098288986945",
"185641683843692917020538990771294001438",
"6642918489746524156889008633579228685",
"58545316172939852987032598393626816123"
],
"threshold": 0.9
},
"signature_version": "v1",
"id": "CVE-2025-39982-6599a391",
"signature_type": "Line",
"target": {
"file": "net/bluetooth/hci_event.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e622804d57e2d08f0271200606bd1270f75126f",
"deprecated": false,
"digest": {
"function_hash": "99216044917196597658462618109945938256",
"length": 2536.0
},
"signature_version": "v1",
"id": "CVE-2025-39982-780a7fb1",
"signature_type": "Function",
"target": {
"file": "net/bluetooth/hci_event.c",
"function": "le_conn_complete_evt"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a78fd4fc5694ecb3b97deb2ad9eaebd67b4d2b08",
"deprecated": false,
"digest": {
"line_hashes": [
"280403115645764667719513206826054039291",
"267475748231182583480348773357658711628",
"270009001218317303828063815095080212599",
"200031170550845101985063151253147113801",
"115129249184519293861112301172657215633",
"144718870196078288827029374462674131598",
"40126379625903319882619860098288986945",
"185641683843692917020538990771294001438",
"6642918489746524156889008633579228685",
"58545316172939852987032598393626816123"
],
"threshold": 0.9
},
"signature_version": "v1",
"id": "CVE-2025-39982-a45783aa",
"signature_type": "Line",
"target": {
"file": "net/bluetooth/hci_event.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6243bda271a628c48875e3e473206e7f584892ce",
"deprecated": false,
"digest": {
"line_hashes": [
"280403115645764667719513206826054039291",
"267475748231182583480348773357658711628",
"270009001218317303828063815095080212599",
"200031170550845101985063151253147113801",
"115129249184519293861112301172657215633",
"144718870196078288827029374462674131598",
"40126379625903319882619860098288986945",
"185641683843692917020538990771294001438",
"6642918489746524156889008633579228685",
"246401805584565423908671317276734281335"
],
"threshold": 0.9
},
"signature_version": "v1",
"id": "CVE-2025-39982-a9c72e6a",
"signature_type": "Line",
"target": {
"file": "net/bluetooth/hci_event.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bcce99f613163a43de24674b717e7a6c135fc879",
"deprecated": false,
"digest": {
"function_hash": "162235239890662990014873576477886465296",
"length": 2901.0
},
"signature_version": "v1",
"id": "CVE-2025-39982-b3270cb4",
"signature_type": "Function",
"target": {
"file": "net/bluetooth/hci_event.c",
"function": "hci_conn_complete_evt"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a78fd4fc5694ecb3b97deb2ad9eaebd67b4d2b08",
"deprecated": false,
"digest": {
"function_hash": "190207761695129447281748293400576781320",
"length": 2611.0
},
"signature_version": "v1",
"id": "CVE-2025-39982-bcea4795",
"signature_type": "Function",
"target": {
"file": "net/bluetooth/hci_event.c",
"function": "hci_conn_complete_evt"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@484c7d571a3d1b3fd298fa691b660438c4548a53",
"deprecated": false,
"digest": {
"function_hash": "162235239890662990014873576477886465296",
"length": 2901.0
},
"signature_version": "v1",
"id": "CVE-2025-39982-d4030335",
"signature_type": "Function",
"target": {
"file": "net/bluetooth/hci_event.c",
"function": "hci_conn_complete_evt"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6243bda271a628c48875e3e473206e7f584892ce",
"deprecated": false,
"digest": {
"function_hash": "191076306775884942080216164899248428391",
"length": 3083.0
},
"signature_version": "v1",
"id": "CVE-2025-39982-d4b1ad07",
"signature_type": "Function",
"target": {
"file": "net/bluetooth/hci_event.c",
"function": "hci_conn_complete_evt"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e622804d57e2d08f0271200606bd1270f75126f",
"deprecated": false,
"digest": {
"line_hashes": [
"280403115645764667719513206826054039291",
"267475748231182583480348773357658711628",
"270009001218317303828063815095080212599",
"200031170550845101985063151253147113801",
"115129249184519293861112301172657215633",
"144718870196078288827029374462674131598",
"40126379625903319882619860098288986945",
"185641683843692917020538990771294001438",
"6642918489746524156889008633579228685",
"58545316172939852987032598393626816123"
],
"threshold": 0.9
},
"signature_version": "v1",
"id": "CVE-2025-39982-f361991e",
"signature_type": "Line",
"target": {
"file": "net/bluetooth/hci_event.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@484c7d571a3d1b3fd298fa691b660438c4548a53",
"deprecated": false,
"digest": {
"function_hash": "99216044917196597658462618109945938256",
"length": 2536.0
},
"signature_version": "v1",
"id": "CVE-2025-39982-fc1cb6d8",
"signature_type": "Function",
"target": {
"file": "net/bluetooth/hci_event.c",
"function": "le_conn_complete_evt"
}
}
]