{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-15T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync",
    "id" : "2404100",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2404100"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync\nThis fixes the following UFA in hci_acl_create_conn_sync where a\nconnection still pending is command submission (conn->state == BT_OPEN)\nmaybe freed, also since this also can happen with the likes of\nhci_le_create_conn_sync fix it as well:\nBUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861\nWrite of size 2 at addr ffff88805ffcc038 by task kworker/u11:2/9541\nCPU: 1 UID: 0 PID: 9541 Comm: kworker/u11:2 Not tainted 6.16.0-rc7 #3 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\nWorkqueue: hci3 hci_cmd_sync_work\nCall Trace:\n<TASK>\ndump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:378 [inline]\nprint_report+0xca/0x230 mm/kasan/report.c:480\nkasan_report+0x118/0x150 mm/kasan/report.c:593\nhci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861\nhci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332\nprocess_one_work kernel/workqueue.c:3238 [inline]\nprocess_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\nworker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\nkthread+0x70e/0x8a0 kernel/kthread.c:464\nret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\nret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245\n</TASK>\nAllocated by task 123736:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3e/0x80 mm/kasan/common.c:68\npoison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\nkasan_kmalloc include/linux/kasan.h:260 [inline]\n__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359\nkmalloc_noprof include/linux/slab.h:905 [inline]\nkzalloc_noprof include/linux/slab.h:1039 [inline]\n__hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939\nhci_conn_add_unset net/bluetooth/hci_conn.c:1051 [inline]\nhci_connect_acl+0x16c/0x4e0 net/bluetooth/hci_conn.c:1634\npair_device+0x418/0xa70 net/bluetooth/mgmt.c:3556\nhci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\nhci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\nsock_sendmsg_nosec net/socket.c:712 [inline]\n__sock_sendmsg+0x219/0x270 net/socket.c:727\nsock_write_iter+0x258/0x330 net/socket.c:1131\nnew_sync_write fs/read_write.c:593 [inline]\nvfs_write+0x54b/0xa90 fs/read_write.c:686\nksys_write+0x145/0x250 fs/read_write.c:738\ndo_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\ndo_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nFreed by task 103680:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3e/0x80 mm/kasan/common.c:68\nkasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\npoison_slab_object mm/kasan/common.c:247 [inline]\n__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\nkasan_slab_free include/linux/kasan.h:233 [inline]\nslab_free_hook mm/slub.c:2381 [inline]\nslab_free mm/slub.c:4643 [inline]\nkfree+0x18e/0x440 mm/slub.c:4842\ndevice_release+0x9c/0x1c0\nkobject_cleanup lib/kobject.c:689 [inline]\nkobject_release lib/kobject.c:720 [inline]\nkref_put include/linux/kref.h:65 [inline]\nkobject_put+0x22b/0x480 lib/kobject.c:737\nhci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]\nhci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173\nhci_conn_complete_evt+0x3c7/0x1040 net/bluetooth/hci_event.c:3199\nhci_event_func net/bluetooth/hci_event.c:7477 [inline]\nhci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531\nhci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070\nprocess_one_work kernel/workqueue.c:3238 [inline]\nprocess_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\nworker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\nkthread+0x70e/0x8a0 kernel/kthread.c:464\nret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\nret_from_fork_asm+0x1a/0x30 home/kwqcheii/sour\n---truncated---", "A flaw was found in the Linux kernel’s Bluetooth subsystem (HCI). Specifically, in the function hci_acl_create_conn_sync() (and related path hci_le_create_conn_sync()), a connection object in state BT_OPEN that is still pending command submission may be freed prematurely, leading to a use-after-free condition. An attacker with network privileges could exploit this to trigger memory corruption, a denial of service, or a potential escalation of privileges." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-12-09T00:00:00Z",
    "advisory" : "RHSA-2025:22854",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.20.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-01-08T00:00:00Z",
    "advisory" : "RHSA-2026:0271",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "kernel-0:6.12.0-55.52.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-17T00:00:00Z",
    "advisory" : "RHSA-2025:21469",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.8.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-17T00:00:00Z",
    "advisory" : "RHSA-2025:21469",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.8.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0576",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.161.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0537",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.161.1.rt21.233.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0535",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.152.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-01-14T00:00:00Z",
    "advisory" : "RHSA-2026:0534",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.152.1.rt14.437.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-01-13T00:00:00Z",
    "advisory" : "RHSA-2026:0489",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.106.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-39982\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39982\nhttps://lore.kernel.org/linux-cve-announce/2025101559-CVE-2025-39982-a36e@gregkh/T" ],
  "name" : "CVE-2025-39982",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}