{
  "threat_severity" : "Moderate",
  "public_date" : "2025-04-01T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd",
    "id" : "2356633",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2356633"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd\nAfter the hci sync command releases l2cap_conn, the hci receive data work\nqueue references the released l2cap_conn when sending to the upper layer.\nAdd hci dev lock to the hci receive data work queue to synchronize the two.\n[1]\nBUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954\nRead of size 8 at addr ffff8880271a4000 by task kworker/u9:2/5837\nCPU: 0 UID: 0 PID: 5837 Comm: kworker/u9:2 Not tainted 6.13.0-rc5-syzkaller-00163-gab75170520d4 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: hci1 hci_rx_work\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:378 [inline]\nprint_report+0x169/0x550 mm/kasan/report.c:489\nkasan_report+0x143/0x180 mm/kasan/report.c:602\nl2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline]\nl2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954\nl2cap_sig_send_rej net/bluetooth/l2cap_core.c:5502 [inline]\nl2cap_sig_channel net/bluetooth/l2cap_core.c:5538 [inline]\nl2cap_recv_frame+0x221f/0x10db0 net/bluetooth/l2cap_core.c:6817\nhci_acldata_packet net/bluetooth/hci_core.c:3797 [inline]\nhci_rx_work+0x508/0xdb0 net/bluetooth/hci_core.c:4040\nprocess_one_work kernel/workqueue.c:3229 [inline]\nprocess_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310\nworker_thread+0x870/0xd30 kernel/workqueue.c:3391\nkthread+0x2f0/0x390 kernel/kthread.c:389\nret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n</TASK>\nAllocated by task 5837:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3f/0x80 mm/kasan/common.c:68\npoison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\nkasan_kmalloc include/linux/kasan.h:260 [inline]\n__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329\nkmalloc_noprof include/linux/slab.h:901 [inline]\nkzalloc_noprof include/linux/slab.h:1037 [inline]\nl2cap_conn_add+0xa9/0x8e0 net/bluetooth/l2cap_core.c:6860\nl2cap_connect_cfm+0x115/0x1090 net/bluetooth/l2cap_core.c:7239\nhci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline]\nhci_remote_features_evt+0x68e/0xac0 net/bluetooth/hci_event.c:3726\nhci_event_func net/bluetooth/hci_event.c:7473 [inline]\nhci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7525\nhci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4035\nprocess_one_work kernel/workqueue.c:3229 [inline]\nprocess_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310\nworker_thread+0x870/0xd30 kernel/workqueue.c:3391\nkthread+0x2f0/0x390 kernel/kthread.c:389\nret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\nFreed by task 54:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3f/0x80 mm/kasan/common.c:68\nkasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\npoison_slab_object mm/kasan/common.c:247 [inline]\n__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\nkasan_slab_free include/linux/kasan.h:233 [inline]\nslab_free_hook mm/slub.c:2353 [inline]\nslab_free mm/slub.c:4613 [inline]\nkfree+0x196/0x430 mm/slub.c:4761\nl2cap_connect_cfm+0xcc/0x1090 net/bluetooth/l2cap_core.c:7235\nhci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline]\nhci_conn_failed+0x287/0x400 net/bluetooth/hci_conn.c:1266\nhci_abort_conn_sync+0x56c/0x11f0 net/bluetooth/hci_sync.c:5603\nhci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332\nprocess_one_work kernel/workqueue.c:3229 [inline]\nprocess_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310\nworker_thread+0x870/0xd30 kernel/workqueue.c:3391\nkthread+0x2f0/0x390 kernel/kthread.c:389\nret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr\n---truncated---" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-06-16T00:00:00Z",
    "advisory" : "RHSA-2025:9079",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "kernel-0:6.12.0-55.17.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-06-16T00:00:00Z",
    "advisory" : "RHSA-2025:9080",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.22.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-06-16T00:00:00Z",
    "advisory" : "RHSA-2025:9080",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.22.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-21969\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21969\nhttps://lore.kernel.org/linux-cve-announce/2025040146-CVE-2025-21969-d4f2@gregkh/T" ],
  "name" : "CVE-2025-21969",
  "csaw" : false
}