CVE-2025-40318
- Source
- https://cve.org/CVERecord?id=CVE-2025-40318
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40318.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-40318
- Downstream
- Related
- Published
- 2025-12-08T00:46:45.382Z
- Modified
- 2026-03-20T12:43:16.071391Z
- Summary
- Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hcisync: fix race in hcicmdsyncdequeue_once
hcicmdsyncdequeueonce() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hcicmdsyncwork() can also delete the same entry, leading to double listdel() and "UAF".
Fix this by holding cmdsyncwork_lock across both lookup and cancel, so that the entry cannot be removed concurrently.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40318.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/09b0cd1297b4dbfe736aeaa0ceeab2265f47f772
- https://git.kernel.org/stable/c/0a94f7e017438935c09ef833a1aa908ad9875213
- https://git.kernel.org/stable/c/932c0a4f77ac13e526fdd5b42914d29c9821d389
- https://git.kernel.org/stable/c/9cd536970192b72257afcdfba0bfc09993e6f19c
- https://git.kernel.org/stable/c/ae76cf6c2c842944c6514c57df54d728f1916553
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40318.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-40318
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedf00f36db76eb8fd10d13e80e2590f23b5beaa54dFixed0a94f7e017438935c09ef833a1aa908ad9875213
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1499f79995c7ee58e3bfeeff75f6d1b37dcda881Fixed932c0a4f77ac13e526fdd5b42914d29c9821d389
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced505ea2b295929e7be2b4e1bc86ee31cb7862fb01Fixedae76cf6c2c842944c6514c57df54d728f1916553Fixed9cd536970192b72257afcdfba0bfc09993e6f19cFixed09b0cd1297b4dbfe736aeaa0ceeab2265f47f772
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected357603f4d396d85fbf0045512efaf1d7f7394ed7
Linux / Kernel
Package
- Name
- Kernel