CVE-2025-40284

Vulnerability

Overview

In the Linux kernel's Bluetooth MGMT subsystem, the mesh_send_done timer is not properly cancelled when an HCI device (hdev) is removed. When the device is released and its resources are freed, the timer can still fire, causing a use-after-free condition. The kernel heap sanitizer (KASAN) detects this as a slab-use-after-free bug, as shown in the kernel log where the freed memory is accessed in run_timer_softirq after the device memory has been freed by device_release and kfree [1][2].

Exploitation

Scenario

An attacker with the ability to trigger Bluetooth device removal (for example, by unplugging a USB Bluetooth adapter or through a virtual HCI device removal) can cause the race condition. The vulnerability requires no special privileges beyond local access to the system; the crash occurs in softIRQ context when the timer fires after the hdev structure has been freed. The attack surface is limited to scenarios where a Bluetooth device is removed while a mesh send timer is still pending.

Impact

A successful exploit leads to a kernel crash (denial of service) due to accessing freed memory. The use-after-free can corrupt kernel memory, potentially allowing further exploitation, though the KASAN report indicates a slab-use-after-free, making privilege escalation possible in principle.

Mitigation

The fix is to cancel the mesh_send_done timer when the MGMT subsystem removes the HCI device, similar to other MGMT timers. The commit referenced in the kernel tree applies this correction. Users should apply the latest stable kernel update containing this fix (e.g., commit id fd62ca5ad136 or 55fb52ffdd62). No workaround is available; updating the kernel is the recommended course of action.