CVE-2025-40284
- Source
- https://cve.org/CVERecord?id=CVE-2025-40284
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40284.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-40284
- Downstream
- Related
- Published
- 2025-12-06T21:51:08.488Z
- Modified
- 2026-03-21T08:29:07.314142Z
- Summary
- Bluetooth: MGMT: cancel mesh send timer when hdev removed
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: cancel mesh send timer when hdev removed
meshsenddone timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone.
Cancel the timer when MGMT removes the hdev, like other MGMT timers.
Should fix the BUG: sporadically seen by BlueZ test bot (in "Mesh - Send cancel - 1" test).
Log:
BUG: KASAN: slab-use-after-free in runtimersoftirq+0x76b/0x7d0 ... Freed by task 36: kasansavestack+0x24/0x50 kasansavetrack+0x14/0x30 __kasansavefree_info+0x3a/0x60 __kasanslabfree+0x43/0x70 kfree+0x103/0x500 devicerelease+0x9a/0x210 kobjectput+0x100/0x1e0
vhci_release+0x18b/0x240
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40284.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/2927ff643607eddf4f03d10ef80fe10d977154aa
- https://git.kernel.org/stable/c/55fb52ffdd62850d667ebed842815e072d3c9961
- https://git.kernel.org/stable/c/7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b
- https://git.kernel.org/stable/c/990e6143b0ca0c66f099d67d00c112bf59b30d76
- https://git.kernel.org/stable/c/fd62ca5ad136dcf6f5aa308423b299a6be6f54ea
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40284.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-40284
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedb338d91703fae6f6afd67f3f75caa3b8f36ddef3Fixed990e6143b0ca0c66f099d67d00c112bf59b30d76Fixed2927ff643607eddf4f03d10ef80fe10d977154aaFixed7b6b6c077cad0601d62c3c34ab7ce3fb25deda7bFixedfd62ca5ad136dcf6f5aa308423b299a6be6f54eaFixed55fb52ffdd62850d667ebed842815e072d3c9961