VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 12, 2025· Updated Apr 15, 2026

CVE-2025-40141

CVE-2025-40141

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: ISO: Fix possible UAF on iso_conn_free

This attempt to fix similar issue to sco_conn_free where if the conn->sk is not set to NULL may lead to UAF on iso_conn_free.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free (UAF) vulnerability in the Linux kernel's Bluetooth ISO subsystem occurs when iso_conn_free fails to clear conn->sk.

Analysis

A use-after-free vulnerability exists in the Linux kernel's Bluetooth ISO (Isochronous) protocol implementation. The flaw occurs in the iso_conn_free function, where the conn->sk pointer (a socket reference) is not set to NULL after the associated socket is freed or released. This is analogous to a previously fixed issue in the SCO (Synchronous Connection-Oriented) protocol (sco_conn_free). If the freed socket is later accessed through the dangling conn->sk pointer, an attacker could trigger a use-after-free condition.

Exploitation

Exploitation requires that an attacker be able to trigger specific Bluetooth operations that cause the freeing of an ISO connection while the socket reference remains accessible. The vulnerability is local and would typically require the attacker to have the ability to interact with the Bluetooth stack, e.g., via unprivileged process access to Bluetooth sockets or crafted Bluetooth communication. No authentication is needed beyond local system access that allows Bluetooth operations.

Impact

A successful exploit could lead to a kernel crash (denial of service) or potentially allow an attacker to achieve arbitrary code execution in the kernel context, depending on how the freed memory is reallocated and controlled. The impact is consistent with typical use-after-free bugs in kernel subsystems.

Mitigation

Patches have been committed to the Linux kernel stable tree. The fix ensures that conn->sk is set to NULL in iso_conn_free, similar to the fix for SCO (git commit references [1] and [2]). Users and distributions are advised to update to a corrected kernel version as soon as possible.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

5
eba6d787ec11
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
5319145a07d8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
80689777919f
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
c92ad1a155cc
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
9950f095d6c8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Root cause

"A use-after-free vulnerability occurs in `iso_conn_free` because the `conn->sk` pointer is not set to NULL, allowing access to freed memory."

Attack vector

An attacker can trigger this vulnerability by exploiting the improper handling of the `conn->sk` pointer during the ISO connection teardown process. If `conn->sk` is not set to NULL before the connection is freed, subsequent operations may access the freed memory [patch_id=10813]. The advisory does not provide specific details on the necessary network path or payload shape required to reach this state.

Affected code

The vulnerability exists within the Bluetooth ISO connection handling logic, specifically in the `iso_conn_free` function. This function fails to properly manage the `conn->sk` pointer, leading to a potential use-after-free condition [patch_id=10813].

What the fix does

The patch modifies `iso_conn_free` to ensure that `conn->sk` is explicitly set to NULL when appropriate [patch_id=10813]. This prevents the kernel from attempting to access a stale pointer after the associated connection structure has been freed. This approach mirrors the fix applied to `sco_conn_free` to resolve similar memory safety issues [patch_id=10813].

Preconditions

  • configThe system must be using a vulnerable version of the Linux kernel with Bluetooth ISO support enabled.

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.