Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and "UAF". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.
References
- https://git.kernel.org/stable/c/09b0cd1297b4dbfe736aeaa0ceeab2265f47f772
- https://git.kernel.org/stable/c/0a94f7e017438935c09ef833a1aa908ad9875213
- https://git.kernel.org/stable/c/932c0a4f77ac13e526fdd5b42914d29c9821d389
- https://git.kernel.org/stable/c/9cd536970192b72257afcdfba0bfc09993e6f19c
- https://git.kernel.org/stable/c/ae76cf6c2c842944c6514c57df54d728f1916553
FAQ
What is CVE-2025-40318?
CVE-2025-40318 is a documented vulnerability. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under...
How severe is CVE-2025-40318?
CVSS scoring is not yet available for CVE-2025-40318. Check NVD for updates.
Is there a patch for CVE-2025-40318?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.