CVE-2025-68305
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sock: Prevent race in socket write iter and sock bind
There is a potential race condition between sock bind and socket write iter. bind may free the same cmd via mgmt_pending before write iter sends the cmd, just as syzbot reported in UAF[1].
Here we use hci_dev_lock to synchronize the two, thereby avoiding the UAF mentioned in [1].
[1] syzbot reported: BUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316 Read of size 8 at addr ffff888077164818 by task syz.0.17/5989 Call Trace: mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316 set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 sock_write_iter+0x279/0x360 net/socket.c:1195
Allocated by task 5989: mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296 set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 sock_write_iter+0x279/0x360 net/socket.c:1195
Freed by task 5991: mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline] mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257 mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Linux kernel's Bluetooth hci_sock between write iter and bind can cause a use-after-free in mgmt_pending_remove.
Vulnerability
Overview
CVE-2025-68305 describes a race condition in the Linux kernel's Bluetooth subsystem, specifically in the hci_sock module. The bug occurs between the socket write iter (via hci_sock_sendmsg) and the socket bind operation (hci_sock_bind). When a management command is being sent, mgmt_pending_add allocates a pending command structure. However, if a concurrent bind operation triggers mgmt_index_removed, it can free the same pending command via mgmt_pending_free before the write iter completes, leading to a use-after-free (UAF) as reported by syzbot [1].
Exploitation
Conditions
An attacker must have the ability to send Bluetooth management commands and trigger a bind operation on the same socket concurrently. This requires local access to the system and the ability to create and manipulate Bluetooth sockets. The race window is narrow but exploitable, as demonstrated by the syzbot fuzzer. No special privileges beyond the ability to open a Bluetooth socket are needed, though the attack is local [1].
Impact
A successful exploit could allow an attacker to cause a kernel crash (denial of service) or potentially escalate privileges, as use-after-free vulnerabilities in kernel memory can be leveraged for arbitrary code execution. The KASAN report confirms a slab-use-after-free read, indicating memory corruption [1].
Mitigation
The fix, introduced in the Linux kernel stable tree, uses hci_dev_lock to synchronize the write iter and bind paths, preventing the race condition. Users should apply the patch from commit 69fcb0344bc0dd5b13d7e4e98f8b6bf25a6d4ff7 or update to a kernel version containing this fix [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.