{ "threat_severity" : "Moderate", "public_date" : "2025-12-08T00:00:00Z", "bugzilla" : { "description" : "kernel: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once", "id" : "2419920", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2419920" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once\nhci_cmd_sync_dequeue_once() does lookup and then cancel\nthe entry under two separate lock sections. Meanwhile,\nhci_cmd_sync_work() can also delete the same entry,\nleading to double list_del() and \"UAF\".\nFix this by holding cmd_sync_work_lock across both\nlookup and cancel, so that the entry cannot be removed\nconcurrently.", "A use-after-free flaw was found in hci_cmd_sync_dequeue_once in net/bluetooth/hci_sync.c in Bluetooth: hci_sync in Linux Kernel. This vulnerability could even lead to a kernel information leak problem." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-02-02T00:00:00Z", "advisory" : "RHSA-2026:1690", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.31.1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-02-02T00:00:00Z", "advisory" : "RHSA-2026:1727", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "kernel-0:6.12.0-55.58.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2212", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.30.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2212", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.30.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-01-26T00:00:00Z", "advisory" : "RHSA-2026:1194", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "kernel-0:5.14.0-570.81.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-40318\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40318\nhttps://lore.kernel.org/linux-cve-announce/2025120823-CVE-2025-40318-0f27@gregkh/T" ], "name" : "CVE-2025-40318", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }