CVE-2025-40213

Vulnerability

A stack-out-of-bounds bug exists in the set_mesh_sync function of the Linux kernel's Bluetooth MGMT subsystem. The issue arises from an incorrectly declared on-stack flexible array, which allows memcpy to write beyond the allocated boundary [1]. Additionally, in set_mesh_complete, a double list_del occurs when both mgmt_pending_valid and mgmt_pending_remove are called on the same pending command, leading to list corruption [2][3].

Exploitation

An attacker with the ability to send crafted Bluetooth MGMT commands can trigger these bugs. The vulnerabilities are reachable from local context or potentially remotely if the Bluetooth interface is exposed. Exploitation does not require authentication if the MGMT interface is accessible.

Impact

Successful exploitation results in a kernel crash (denial of service). The double list_del can corrupt kernel memory, possibly leading to a use-after-free condition. The stack-out-of-bounds may allow limited memory corruption, though further exploitation for privilege escalation is not analyzed in the provided references.

Mitigation

The fixes have been applied to stable kernel branches. The patches use DEFINE_FLEX to correctly declare the flexible array and replace the problematic mgmt_pending_valid/mgmt_pending_remove sequence with mgmt_pending_free, while ensuring proper error reporting [1][2][3]. Users should update to the latest stable kernel to mitigate these vulnerabilities.