Bluetooth Vulnerability in Linux Kernel Affects Mesh Networking Functionality
CVE-2025-40284

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 6 December 2025

What is CVE-2025-40284?

A vulnerability in the Bluetooth Management (MGMT) subsystem of the Linux Kernel leads to a potential system crash due to a failure to cancel the mesh_send_done timer when the hardware device (hdev) is removed. This oversight can result in a slab-use-after-free error, which is seen to sporadically trigger during automated testing, particularly during mesh networking operations. To mitigate this risk, the timer should be properly canceled in the handler for hardware device removal, thus enhancing the overall stability and reliability of Bluetooth operations in Linux-based systems.

Affected Version(s)

Linux b338d91703fae6f6afd67f3f75caa3b8f36ddef3 < 990e6143b0ca0c66f099d67d00c112bf59b30d76

Linux b338d91703fae6f6afd67f3f75caa3b8f36ddef3 < 2927ff643607eddf4f03d10ef80fe10d977154aa

Linux b338d91703fae6f6afd67f3f75caa3b8f36ddef3 < 7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b

References

https://git.kernel.org/stable/c/990e6143b0ca0c66f099d67d0...

https://git.kernel.org/stable/c/2927ff643607eddf4f03d10ef...

https://git.kernel.org/stable/c/7b6b6c077cad0601d62c3c34a...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 6, 2025
Vulnerability Reserved
Apr 16, 2025

JSON