CVE-2025-40283

The vulnerability is a use-after-free (UAF) in the btusb_disconnect() function of the Linux kernel's Bluetooth USB driver (btusb). The function calls usb_driver_release_interface() which frees the btusb data structure associated with the interface. However, after this call, the function continues to access the same freed data, leading to a slab-use-after-free condition as detected by KASAN [1][2][3].

Exploitation requires local access to the system and the ability to trigger a disconnect of a Bluetooth USB device. An attacker with physical access or control over a Bluetooth adapter could potentially cause the driver to disconnect, triggering the UAF. No special privileges are needed beyond the ability to interact with USB devices.

The impact is a use-after-free read, which can lead to memory corruption and potentially privilege escalation. An attacker could exploit this to execute arbitrary code in kernel context, leading to full system compromise. The vulnerability is rated with a CVSS score (not provided but likely high).

The fix has been applied in the Linux kernel stable branches via commits [1], [2], and [3]. Users should update their kernels to the latest stable versions to mitigate this vulnerability. No workaround is available other than applying the patch.