cbcvebase.
CVE-2025-39860
published 2025-09-19

CVE-2025-39860: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() syzbot reported the splat…

high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() syzbot reported the splat below without a repro. In the splat, a single thread calling bt_accept_dequeue() freed sk and touched it after that. The root cause would be the racy l2cap_sock_cleanup_listen() call added by the cited commit. bt_accept_dequeue() is called under lock_sock() except for l2cap_sock_release(). Two threads could see the same socket during the list iteration in bt_accept_dequeue(): CPU1 CPU2 (close()) ---- ---- sock_hold(sk) sock_hold(sk); lock_sock(sk) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 spin_lock_bh include/linux/spinlock.h:356 [inline] release_sock+0x21/0x220 net/core/sock.c:3746 bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312 l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 __sock_release+0xb3/0x270 net/socket.c:649 sock_close+0x1c/0x30 net/socket.c:1439 __fput+0x3ff/0xb70 fs/file_table.c:468 task_work_run+0x14d/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2accf8ebe9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca

Affected

41 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debianlinux< linux 6.1.153-1 (bookworm)linux 6.1.153-1 (bookworm)
debianlinux-6.1< linux 6.1.153-1 (bookworm)linux 6.1.153-1 (bookworm)
linuxlinux
linuxlinux
linuxlinux
linuxlinux
linuxlinux>= 06f87c96216bc5cd1094c23492274f77f1d5dd3b < 83e1d9892ef51785cf0760b7681436760dda435a83e1d9892ef51785cf0760b7681436760dda435a
linuxlinux>= 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 < 6077d16b5c0f65d571eee709de2f0541fb5ef0ca6077d16b5c0f65d571eee709de2f0541fb5ef0ca
linuxlinux>= 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 < 306b0991413b482dbf5585b423022123bb505966306b0991413b482dbf5585b423022123bb505966
linuxlinux>= 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 < 3dff390f55ccd9ce12e91233849769b5312180c23dff390f55ccd9ce12e91233849769b5312180c2
linuxlinux>= 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 < 862c628108562d8c7a516a900034823b381d3cba862c628108562d8c7a516a900034823b381d3cba
linuxlinux>= 29fac18499332211b2615ade356e2bd8b3269f98 < 2ca99fc3512a8074de20ee52a87b492dfcc41a4d2ca99fc3512a8074de20ee52a87b492dfcc41a4d
linuxlinux>= 4.14.322 < 4.154.15
linuxlinux>= 4.19.291 < 4.204.20
linuxlinux>= 5.10.190 < 5.10.2435.10.243
linuxlinux>= 5.15.126 < 5.15.1925.15.192
linuxlinux>= 5.4.253 < 5.4.2995.4.299
linuxlinux>= 6.1.45 < 6.1.1516.1.151
linuxlinux>= 6.4.10 < 6.56.5
linuxlinux>= a2da00d1ea1abfb04f846638e210b5b5166e3c9c < 964cbb198f9c46c2b2358cd1faffc04c1e8248cf964cbb198f9c46c2b2358cd1faffc04c1e8248cf
linuxlinux>= fbe5a2fed8156cc19eb3b956602b0a1dd46a302d < 47f6090bcf75c369695d21c3f179db8a56bbbd4947f6090bcf75c369695d21c3f179db8a56bbbd49
linuxlinux_kernel
linuxlinux_kernel>= 0 < 5.10.244-15.10.244-1
linuxlinux_kernel>= 0 < 6.1.153-16.1.153-1

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH