{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-15T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue",
    "id" : "2404117",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2404117"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue\nThis fixes the following UAF caused by not properly locking hdev when\nprocessing HCI_EV_NUM_COMP_PKTS:\nBUG: KASAN: slab-use-after-free in hci_conn_tx_dequeue+0x1be/0x220 net/bluetooth/hci_conn.c:3036\nRead of size 4 at addr ffff8880740f0940 by task kworker/u11:0/54\nCPU: 1 UID: 0 PID: 54 Comm: kworker/u11:0 Not tainted 6.16.0-rc7 #3 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\nWorkqueue: hci1 hci_rx_work\nCall Trace:\n<TASK>\ndump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:378 [inline]\nprint_report+0xca/0x230 mm/kasan/report.c:480\nkasan_report+0x118/0x150 mm/kasan/report.c:593\nhci_conn_tx_dequeue+0x1be/0x220 net/bluetooth/hci_conn.c:3036\nhci_num_comp_pkts_evt+0x1c8/0xa50 net/bluetooth/hci_event.c:4404\nhci_event_func net/bluetooth/hci_event.c:7477 [inline]\nhci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531\nhci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070\nprocess_one_work kernel/workqueue.c:3238 [inline]\nprocess_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\nworker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\nkthread+0x70e/0x8a0 kernel/kthread.c:464\nret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\nret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245\n</TASK>\nAllocated by task 54:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3e/0x80 mm/kasan/common.c:68\npoison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\nkasan_kmalloc include/linux/kasan.h:260 [inline]\n__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359\nkmalloc_noprof include/linux/slab.h:905 [inline]\nkzalloc_noprof include/linux/slab.h:1039 [inline]\n__hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939\nle_conn_complete_evt+0x3d6/0x1220 net/bluetooth/hci_event.c:5628\nhci_le_enh_conn_complete_evt+0x189/0x470 net/bluetooth/hci_event.c:5794\nhci_event_func net/bluetooth/hci_event.c:7474 [inline]\nhci_event_packet+0x78c/0x1200 net/bluetooth/hci_event.c:7531\nhci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070\nprocess_one_work kernel/workqueue.c:3238 [inline]\nprocess_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\nworker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\nkthread+0x70e/0x8a0 kernel/kthread.c:464\nret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\nret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245\nFreed by task 9572:\nkasan_save_stack mm/kasan/common.c:47 [inline]\nkasan_save_track+0x3e/0x80 mm/kasan/common.c:68\nkasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\npoison_slab_object mm/kasan/common.c:247 [inline]\n__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\nkasan_slab_free include/linux/kasan.h:233 [inline]\nslab_free_hook mm/slub.c:2381 [inline]\nslab_free mm/slub.c:4643 [inline]\nkfree+0x18e/0x440 mm/slub.c:4842\ndevice_release+0x9c/0x1c0\nkobject_cleanup lib/kobject.c:689 [inline]\nkobject_release lib/kobject.c:720 [inline]\nkref_put include/linux/kref.h:65 [inline]\nkobject_put+0x22b/0x480 lib/kobject.c:737\nhci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]\nhci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173\nhci_abort_conn_sync+0x5d1/0xdf0 net/bluetooth/hci_sync.c:5689\nhci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332\nprocess_one_work kernel/workqueue.c:3238 [inline]\nprocess_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\nworker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\nkthread+0x70e/0x8a0 kernel/kthread.c:464\nret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\nret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245", "A flaw was discovered in the Bluetooth subsystem of the Linux kernel. When processing a HCI_EV_NUM_COMP_PKTS event, the function hci_conn_tx_dequeue() did not properly hold or release the hdev device lock, which may lead to a use-after-free of the connection structure." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-12-09T00:00:00Z",
    "advisory" : "RHSA-2025:22854",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.20.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-01-08T00:00:00Z",
    "advisory" : "RHSA-2026:0271",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "kernel-0:6.12.0-55.52.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-17T00:00:00Z",
    "advisory" : "RHSA-2025:21469",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.8.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-17T00:00:00Z",
    "advisory" : "RHSA-2025:21469",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.8.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-01-12T00:00:00Z",
    "advisory" : "RHSA-2026:0457",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "kernel-0:5.14.0-570.77.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-39983\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39983\nhttps://lore.kernel.org/linux-cve-announce/2025101500-CVE-2025-39983-eb8b@gregkh/T" ],
  "name" : "CVE-2025-39983",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}