cvelistv5 - cve-2025-40309

CVE-2025-40309 (GCVE-0-2025-40309)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/57707135755bd78b1…
	https://git.kernel.org/stable/c/c17caff1062ca91eb…
	https://git.kernel.org/stable/c/d2850f037c2ae7588…
	https://git.kernel.org/stable/c/c419674cc74309ffa…
	https://git.kernel.org/stable/c/03371c0218189b185…
	https://git.kernel.org/stable/c/ed10dddc7df2daaf2…
	https://git.kernel.org/stable/c/391f83547b7b2c63e…
	https://git.kernel.org/stable/c/ecb9a843be4d6fd71…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 57707135755bd78b1fe5acaebb054fba4739e14c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c17caff1062ca91ebac44bfd01d2fb3d99dc0e23 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d2850f037c2ae75882d68ae654d546ff5c0f678c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c419674cc74309ffaabc591e7200efb49a18fccd (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 03371c0218189b185595b65a04dad60076ca9718 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ed10dddc7df2daaf2a4d98a972aac5183e738cc0 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 391f83547b7b2c63e4b572ab838e10a06cfa4425 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ecb9a843be4d6fd710d7026e359f21015a062572 (git)

Linux

Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/sco.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "57707135755bd78b1fe5acaebb054fba4739e14c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c17caff1062ca91ebac44bfd01d2fb3d99dc0e23",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d2850f037c2ae75882d68ae654d546ff5c0f678c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c419674cc74309ffaabc591e7200efb49a18fccd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "03371c0218189b185595b65a04dad60076ca9718",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ed10dddc7df2daaf2a4d98a972aac5183e738cc0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "391f83547b7b2c63e4b572ab838e10a06cfa4425",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ecb9a843be4d6fd710d7026e359f21015a062572",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/sco.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix UAF on sco_conn_free\n\nBUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline]\nBUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline]\nBUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410\nnet/bluetooth/sco.c:107\nWrite of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352\n\nCPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted\n6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci13 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x191/0x550 mm/kasan/report.c:482\n kasan_report+0xc4/0x100 mm/kasan/report.c:595\n sco_conn_free net/bluetooth/sco.c:87 [inline]\n kref_put include/linux/kref.h:65 [inline]\n sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107\n sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441\n hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]\n hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313\n hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121\n hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147\n hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689\n hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319\n worker_thread+0xbee/0x1200 kernel/workqueue.c:3400\n kthread+0x3c7/0x870 kernel/kthread.c:463\n ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 31370:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4382 [inline]\n __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394\n kmalloc_noprof include/linux/slab.h:909 [inline]\n sk_prot_alloc+0xae/0x220 net/core/sock.c:2239\n sk_alloc+0x34/0x5a0 net/core/sock.c:2295\n bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151\n sco_sock_alloc net/bluetooth/sco.c:562 [inline]\n sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593\n bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135\n __sock_create+0x3ad/0x780 net/socket.c:1589\n sock_create net/socket.c:1647 [inline]\n __sys_socket_create net/socket.c:1684 [inline]\n __sys_socket+0xd5/0x330 net/socket.c:1731\n __do_sys_socket net/socket.c:1745 [inline]\n __se_sys_socket net/socket.c:1743 [inline]\n __x64_sys_socket+0x7a/0x90 net/socket.c:1743\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 31374:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:243 [inline]\n __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2428 [inline]\n slab_free mm/slub.c:4701 [inline]\n kfree+0x199/0x3b0 mm/slub.c:4900\n sk_prot_free net/core/sock.c:2278 [inline]\n __sk_destruct+0x4aa/0x630 net/core/sock.c:2373\n sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333\n __sock_release net/socket.c:649 [inline]\n sock_close+0xb8/0x230 net/socket.c:1439\n __fput+0x3d1/0x9e0 fs/file_table.c:468\n task_work_run+0x206/0x2a0 kernel/task_work.c:227\n get_signal+0x1201/0x1410 kernel/signal.c:2807\n arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n s\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T00:46:34.785Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/57707135755bd78b1fe5acaebb054fba4739e14c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c17caff1062ca91ebac44bfd01d2fb3d99dc0e23"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2850f037c2ae75882d68ae654d546ff5c0f678c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c419674cc74309ffaabc591e7200efb49a18fccd"
        },
        {
          "url": "https://git.kernel.org/stable/c/03371c0218189b185595b65a04dad60076ca9718"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed10dddc7df2daaf2a4d98a972aac5183e738cc0"
        },
        {
          "url": "https://git.kernel.org/stable/c/391f83547b7b2c63e4b572ab838e10a06cfa4425"
        },
        {
          "url": "https://git.kernel.org/stable/c/ecb9a843be4d6fd710d7026e359f21015a062572"
        }
      ],
      "title": "Bluetooth: SCO: Fix UAF on sco_conn_free",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40309",
    "datePublished": "2025-12-08T00:46:34.785Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2025-12-08T00:46:34.785Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40309\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-08T01:16:03.207\",\"lastModified\":\"2025-12-08T18:26:19.900\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: SCO: Fix UAF on sco_conn_free\\n\\nBUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline]\\nBUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline]\\nBUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410\\nnet/bluetooth/sco.c:107\\nWrite of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352\\n\\nCPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted\\n6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary)\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\nWorkqueue: hci13 hci_cmd_sync_work\\nCall Trace:\\n \u003cTASK\u003e\\n __dump_stack lib/dump_stack.c:94 [inline]\\n dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120\\n print_address_description mm/kasan/report.c:378 [inline]\\n print_report+0x191/0x550 mm/kasan/report.c:482\\n kasan_report+0xc4/0x100 mm/kasan/report.c:595\\n sco_conn_free net/bluetooth/sco.c:87 [inline]\\n kref_put include/linux/kref.h:65 [inline]\\n sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107\\n sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441\\n hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]\\n hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313\\n hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121\\n hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147\\n hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689\\n hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332\\n process_one_work kernel/workqueue.c:3236 [inline]\\n process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319\\n worker_thread+0xbee/0x1200 kernel/workqueue.c:3400\\n kthread+0x3c7/0x870 kernel/kthread.c:463\\n ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148\\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\\n \u003c/TASK\u003e\\n\\nAllocated by task 31370:\\n kasan_save_stack mm/kasan/common.c:47 [inline]\\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\\n __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405\\n kasan_kmalloc include/linux/kasan.h:260 [inline]\\n __do_kmalloc_node mm/slub.c:4382 [inline]\\n __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394\\n kmalloc_noprof include/linux/slab.h:909 [inline]\\n sk_prot_alloc+0xae/0x220 net/core/sock.c:2239\\n sk_alloc+0x34/0x5a0 net/core/sock.c:2295\\n bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151\\n sco_sock_alloc net/bluetooth/sco.c:562 [inline]\\n sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593\\n bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135\\n __sock_create+0x3ad/0x780 net/socket.c:1589\\n sock_create net/socket.c:1647 [inline]\\n __sys_socket_create net/socket.c:1684 [inline]\\n __sys_socket+0xd5/0x330 net/socket.c:1731\\n __do_sys_socket net/socket.c:1745 [inline]\\n __se_sys_socket net/socket.c:1743 [inline]\\n __x64_sys_socket+0x7a/0x90 net/socket.c:1743\\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\\n do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nFreed by task 31374:\\n kasan_save_stack mm/kasan/common.c:47 [inline]\\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576\\n poison_slab_object mm/kasan/common.c:243 [inline]\\n __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275\\n kasan_slab_free include/linux/kasan.h:233 [inline]\\n slab_free_hook mm/slub.c:2428 [inline]\\n slab_free mm/slub.c:4701 [inline]\\n kfree+0x199/0x3b0 mm/slub.c:4900\\n sk_prot_free net/core/sock.c:2278 [inline]\\n __sk_destruct+0x4aa/0x630 net/core/sock.c:2373\\n sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333\\n __sock_release net/socket.c:649 [inline]\\n sock_close+0xb8/0x230 net/socket.c:1439\\n __fput+0x3d1/0x9e0 fs/file_table.c:468\\n task_work_run+0x206/0x2a0 kernel/task_work.c:227\\n get_signal+0x1201/0x1410 kernel/signal.c:2807\\n arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337\\n exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40\\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\\n s\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/03371c0218189b185595b65a04dad60076ca9718\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/391f83547b7b2c63e4b572ab838e10a06cfa4425\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/57707135755bd78b1fe5acaebb054fba4739e14c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c17caff1062ca91ebac44bfd01d2fb3d99dc0e23\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c419674cc74309ffaabc591e7200efb49a18fccd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d2850f037c2ae75882d68ae654d546ff5c0f678c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ecb9a843be4d6fd710d7026e359f21015a062572\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ed10dddc7df2daaf2a4d98a972aac5183e738cc0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}

FKIE_CVE-2025-40309

Vulnerability from fkie_nvd - Published: 2025-12-08 01:16 - Updated: 2025-12-08 18:26

Severity ?

Summary

References

	URL	Tags
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/03371c0218189b185595b65a04dad60076ca9718
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/391f83547b7b2c63e4b572ab838e10a06cfa4425
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/57707135755bd78b1fe5acaebb054fba4739e14c
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/c17caff1062ca91ebac44bfd01d2fb3d99dc0e23
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/c419674cc74309ffaabc591e7200efb49a18fccd
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/d2850f037c2ae75882d68ae654d546ff5c0f678c
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/ecb9a843be4d6fd710d7026e359f21015a062572
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/ed10dddc7df2daaf2a4d98a972aac5183e738cc0

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix UAF on sco_conn_free\n\nBUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline]\nBUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline]\nBUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410\nnet/bluetooth/sco.c:107\nWrite of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352\n\nCPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted\n6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci13 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x191/0x550 mm/kasan/report.c:482\n kasan_report+0xc4/0x100 mm/kasan/report.c:595\n sco_conn_free net/bluetooth/sco.c:87 [inline]\n kref_put include/linux/kref.h:65 [inline]\n sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107\n sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441\n hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]\n hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313\n hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121\n hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147\n hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689\n hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319\n worker_thread+0xbee/0x1200 kernel/workqueue.c:3400\n kthread+0x3c7/0x870 kernel/kthread.c:463\n ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 31370:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4382 [inline]\n __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394\n kmalloc_noprof include/linux/slab.h:909 [inline]\n sk_prot_alloc+0xae/0x220 net/core/sock.c:2239\n sk_alloc+0x34/0x5a0 net/core/sock.c:2295\n bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151\n sco_sock_alloc net/bluetooth/sco.c:562 [inline]\n sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593\n bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135\n __sock_create+0x3ad/0x780 net/socket.c:1589\n sock_create net/socket.c:1647 [inline]\n __sys_socket_create net/socket.c:1684 [inline]\n __sys_socket+0xd5/0x330 net/socket.c:1731\n __do_sys_socket net/socket.c:1745 [inline]\n __se_sys_socket net/socket.c:1743 [inline]\n __x64_sys_socket+0x7a/0x90 net/socket.c:1743\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 31374:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:243 [inline]\n __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2428 [inline]\n slab_free mm/slub.c:4701 [inline]\n kfree+0x199/0x3b0 mm/slub.c:4900\n sk_prot_free net/core/sock.c:2278 [inline]\n __sk_destruct+0x4aa/0x630 net/core/sock.c:2373\n sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333\n __sock_release net/socket.c:649 [inline]\n sock_close+0xb8/0x230 net/socket.c:1439\n __fput+0x3d1/0x9e0 fs/file_table.c:468\n task_work_run+0x206/0x2a0 kernel/task_work.c:227\n get_signal+0x1201/0x1410 kernel/signal.c:2807\n arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n s\n---truncated---"
    }
  ],
  "id": "CVE-2025-40309",
  "lastModified": "2025-12-08T18:26:19.900",
  "metrics": {},
  "published": "2025-12-08T01:16:03.207",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/03371c0218189b185595b65a04dad60076ca9718"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/391f83547b7b2c63e4b572ab838e10a06cfa4425"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/57707135755bd78b1fe5acaebb054fba4739e14c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/c17caff1062ca91ebac44bfd01d2fb3d99dc0e23"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/c419674cc74309ffaabc591e7200efb49a18fccd"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d2850f037c2ae75882d68ae654d546ff5c0f678c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ecb9a843be4d6fd710d7026e359f21015a062572"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ed10dddc7df2daaf2a4d98a972aac5183e738cc0"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}

GHSA-GJ62-7FF7-XCWQ

Vulnerability from github – Published: 2025-12-08 03:31 – Updated: 2025-12-08 03:31

Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SCO: Fix UAF on sco_conn_free

BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352

CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-40309"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-08T01:16:03Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix UAF on sco_conn_free\n\nBUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline]\nBUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline]\nBUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410\nnet/bluetooth/sco.c:107\nWrite of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352\n\nCPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted\n6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci13 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x191/0x550 mm/kasan/report.c:482\n kasan_report+0xc4/0x100 mm/kasan/report.c:595\n sco_conn_free net/bluetooth/sco.c:87 [inline]\n kref_put include/linux/kref.h:65 [inline]\n sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107\n sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441\n hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]\n hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313\n hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121\n hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147\n hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689\n hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319\n worker_thread+0xbee/0x1200 kernel/workqueue.c:3400\n kthread+0x3c7/0x870 kernel/kthread.c:463\n ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 31370:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4382 [inline]\n __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394\n kmalloc_noprof include/linux/slab.h:909 [inline]\n sk_prot_alloc+0xae/0x220 net/core/sock.c:2239\n sk_alloc+0x34/0x5a0 net/core/sock.c:2295\n bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151\n sco_sock_alloc net/bluetooth/sco.c:562 [inline]\n sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593\n bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135\n __sock_create+0x3ad/0x780 net/socket.c:1589\n sock_create net/socket.c:1647 [inline]\n __sys_socket_create net/socket.c:1684 [inline]\n __sys_socket+0xd5/0x330 net/socket.c:1731\n __do_sys_socket net/socket.c:1745 [inline]\n __se_sys_socket net/socket.c:1743 [inline]\n __x64_sys_socket+0x7a/0x90 net/socket.c:1743\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 31374:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:243 [inline]\n __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2428 [inline]\n slab_free mm/slub.c:4701 [inline]\n kfree+0x199/0x3b0 mm/slub.c:4900\n sk_prot_free net/core/sock.c:2278 [inline]\n __sk_destruct+0x4aa/0x630 net/core/sock.c:2373\n sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333\n __sock_release net/socket.c:649 [inline]\n sock_close+0xb8/0x230 net/socket.c:1439\n __fput+0x3d1/0x9e0 fs/file_table.c:468\n task_work_run+0x206/0x2a0 kernel/task_work.c:227\n get_signal+0x1201/0x1410 kernel/signal.c:2807\n arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n s\n---truncated---",
  "id": "GHSA-gj62-7ff7-xcwq",
  "modified": "2025-12-08T03:31:01Z",
  "published": "2025-12-08T03:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40309"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/03371c0218189b185595b65a04dad60076ca9718"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/391f83547b7b2c63e4b572ab838e10a06cfa4425"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/57707135755bd78b1fe5acaebb054fba4739e14c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c17caff1062ca91ebac44bfd01d2fb3d99dc0e23"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c419674cc74309ffaabc591e7200efb49a18fccd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d2850f037c2ae75882d68ae654d546ff5c0f678c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ecb9a843be4d6fd710d7026e359f21015a062572"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ed10dddc7df2daaf2a4d98a972aac5183e738cc0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

MSRC_CVE-2025-40309

Vulnerability from csaf_microsoft - Published: 2025-12-02 00:00 - Updated: 2025-12-09 01:01

Summary

Bluetooth: SCO: Fix UAF on sco_conn_free

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2025-40309 Bluetooth: SCO: Fix UAF on sco_conn_free - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-40309.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Bluetooth: SCO: Fix UAF on sco_conn_free",
    "tracking": {
      "current_release_date": "2025-12-09T01:01:37.000Z",
      "generator": {
        "date": "2025-12-09T08:19:57.243Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2025-40309",
      "initial_release_date": "2025-12-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-12-09T01:01:37.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "category": "product_name",
            "name": "azl3 kernel 6.6.112.1-2",
            "product": {
              "name": "azl3 kernel 6.6.112.1-2",
              "product_id": "1"
            }
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 kernel 6.6.112.1-2 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-40309",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "17084-1"
          ]
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Linux",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "known_not_affected": [
          "17084-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-40309 Bluetooth: SCO: Fix UAF on sco_conn_free - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-40309.json"
        }
      ],
      "title": "Bluetooth: SCO: Fix UAF on sco_conn_free"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-40309 (GCVE-0-2025-40309)

FKIE_CVE-2025-40309

GHSA-GJ62-7FF7-XCWQ

MSRC_CVE-2025-40309

Tags

Sightings

Nomenclature