{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-15T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Bluetooth: MGMT: Fix possible UAFs",
    "id" : "2404105",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2404105"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: MGMT: Fix possible UAFs\nThis attemps to fix possible UAFs caused by struct mgmt_pending being\nfreed while still being processed like in the following trace, in order\nto fix mgmt_pending_valid is introduce and use to check if the\nmgmt_pending hasn't been removed from the pending list, on the complete\ncallbacks it is used to check and in addtion remove the cmd from the list\nwhile holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd\nis left on the list it can still be accessed and freed.\nBUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223\nRead of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55\nCPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n<TASK>\ndump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:378 [inline]\nprint_report+0xca/0x240 mm/kasan/report.c:482\nkasan_report+0x118/0x150 mm/kasan/report.c:595\nmgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223\nhci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332\nprocess_one_work kernel/workqueue.c:3238 [inline]\nprocess_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321\nworker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\nkthread+0x711/0x8a0 kernel/kthread.c:464\nret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\nret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245\n</TASK>\nAllocated by task 12210:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3e/0x80 mm/kasan/common.c:68\npoison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\nkasan_kmalloc include/linux/kasan.h:260 [inline]\n__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364\nkmalloc_noprof include/linux/slab.h:905 [inline]\nkzalloc_noprof include/linux/slab.h:1039 [inline]\nmgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269\nmgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296\n__add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247\nadd_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364\nhci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\nhci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\nsock_sendmsg_nosec net/socket.c:714 [inline]\n__sock_sendmsg+0x219/0x270 net/socket.c:729\nsock_write_iter+0x258/0x330 net/socket.c:1133\nnew_sync_write fs/read_write.c:593 [inline]\nvfs_write+0x5c9/0xb30 fs/read_write.c:686\nksys_write+0x145/0x250 fs/read_write.c:738\ndo_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\ndo_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nFreed by task 12221:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3e/0x80 mm/kasan/common.c:68\nkasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\npoison_slab_object mm/kasan/common.c:247 [inline]\n__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\nkasan_slab_free include/linux/kasan.h:233 [inline]\nslab_free_hook mm/slub.c:2381 [inline]\nslab_free mm/slub.c:4648 [inline]\nkfree+0x18e/0x440 mm/slub.c:4847\nmgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]\nmgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257\n__mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444\nhci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290\nhci_dev_do_close net/bluetooth/hci_core.c:501 [inline]\nhci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526\nsock_do_ioctl+0xd9/0x300 net/socket.c:1192\nsock_ioctl+0x576/0x790 net/socket.c:1313\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:907 [inline]\n__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893\ndo_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\ndo_syscall_64+0xf\n---truncated---", "A flaw was found in the Linux kernel’s Bluetooth management subsystem (net/bluetooth/mgmt*.c). The mgmt_pending structure may be freed while still being processed, or remain on the pending command list, which allows a use-after-free or double-free scenario. An attacker with local access to the system and the ability to interact with the Bluetooth subsystem could exploit this to trigger memory corruption, potentially leading to elevated privileges or denial of service." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-12-09T00:00:00Z",
    "advisory" : "RHSA-2025:22854",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.20.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-01-08T00:00:00Z",
    "advisory" : "RHSA-2026:0271",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "kernel-0:6.12.0-55.52.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-12-01T00:00:00Z",
    "advisory" : "RHSA-2025:22405",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.11.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-12-01T00:00:00Z",
    "advisory" : "RHSA-2025:22405",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.11.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-01-12T00:00:00Z",
    "advisory" : "RHSA-2026:0457",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "kernel-0:5.14.0-570.77.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-39981\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39981\nhttps://lore.kernel.org/linux-cve-announce/2025101559-CVE-2025-39981-fe1d@gregkh/T" ],
  "name" : "CVE-2025-39981",
  "mitigation" : {
    "value" : "Ensure Bluetooth management interfaces are hardened or, if unused, disabled.",
    "lang" : "en:us"
  },
  "csaw" : false
}