Race Condition in Linux Kernel Bluetooth Functionality
CVE-2025-40318

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 8 December 2025

What is CVE-2025-40318?

A race condition vulnerability exists in the Linux kernel's Bluetooth functionality, specifically in the hci_cmd_sync_dequeue_once function. The issue arises when the function performs a lookup and subsequently attempts to cancel an entry without proper synchronization, allowing concurrent deletion by another function, hci_cmd_sync_work. This can lead to a double removal from the list, resulting in a Use After Free (UAF) scenario. The vulnerability has been addressed by ensuring that the cmd_sync_work_lock is held throughout both the lookup and cancel procedures, thereby preventing concurrent modifications and enhancing overall security.

Affected Version(s)

Linux f00f36db76eb8fd10d13e80e2590f23b5beaa54d < 0a94f7e017438935c09ef833a1aa908ad9875213

Linux 1499f79995c7ee58e3bfeeff75f6d1b37dcda881 < 932c0a4f77ac13e526fdd5b42914d29c9821d389

Linux 505ea2b295929e7be2b4e1bc86ee31cb7862fb01

References

https://git.kernel.org/stable/c/0a94f7e017438935c09ef833a...

https://git.kernel.org/stable/c/932c0a4f77ac13e526fdd5b42...

https://git.kernel.org/stable/c/ae76cf6c2c842944c6514c57d...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 8, 2025
Vulnerability Reserved
Apr 16, 2025

JSON