CVE-2025-40318

Vulnerability

Overview

CVE-2025-40318 is a race condition vulnerability in the Linux kernel's Bluetooth subsystem, specifically within hci_sync. The function hci_cmd_sync_dequeue_once() performs a lookup and then cancels an entry under two separate lock sections. This allows a concurrent execution of hci_cmd_sync_work(), which can delete the same entry, leading to a double list_del() and a use-after-free (UAF) condition [1].

Exploitation

Path

An attacker may exploit this race by causing the Bluetooth subsystem to process commands concurrently, triggering the window between the lookup and cancel operations. No special privileges are required beyond the ability to interact with the Bluetooth stack, which may be accessible to unprivileged users in certain configurations. The vulnerability is local and requires timing to win the race.

Impact

Successful exploitation could allow an attacker to corrupt kernel memory, leading to a denial of service (system crash) or potentially arbitrary code execution in the kernel context, depending on the attacker's ability to control the freed memory [2]. The issue affects the stability and security of systems using Bluetooth.

Mitigation

The fix ensures that cmd_sync_work_lock is held across both the lookup and cancel operations, preventing concurrent removal. Patches have been committed to the Linux kernel stable tree and are available as updates. Users should apply the latest kernel updates to mitigate this vulnerability [1].