CVE-2025-40283 (GCVE-0-2025-40283)
Vulnerability from cvelistv5
Published
2025-12-06 21:51
Modified
2025-12-06 21:51
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF
There is a KASAN: slab-use-after-free read in btusb_disconnect().
Calling "usb_driver_release_interface(&btusb_driver, data->intf)" will
free the btusb data associated with the interface. The same data is
then used later in the function, hence the UAF.
Fix by moving the accesses to btusb data to before the data is free'd.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fd913ef7ce619467c6b0644af48ba1fec499c623 Version: fd913ef7ce619467c6b0644af48ba1fec499c623 Version: fd913ef7ce619467c6b0644af48ba1fec499c623 Version: fd913ef7ce619467c6b0644af48ba1fec499c623 Version: fd913ef7ce619467c6b0644af48ba1fec499c623 Version: fd913ef7ce619467c6b0644af48ba1fec499c623 Version: fd913ef7ce619467c6b0644af48ba1fec499c623 Version: fd913ef7ce619467c6b0644af48ba1fec499c623 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "297dbf87989e09af98f81f2bcb938041785557e8",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "f858f004bc343a7ae9f2533bbb2a3ab27428532f",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "7a6d1e740220ff9dfcb6a8c994d6ba49e76db198",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "5dc00065a0496c36694afe11e52a5bc64524a9b8",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "1c28c1e1522c773a94e26950ffb145e88cd9834b",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "a2610ecd9fd5708be8997ca8f033e4200c0bb6af",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "23d22f2f71768034d6ef86168213843fc49bf550",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF\n\nThere is a KASAN: slab-use-after-free read in btusb_disconnect().\nCalling \"usb_driver_release_interface(\u0026btusb_driver, data-\u003eintf)\" will\nfree the btusb data associated with the interface. The same data is\nthen used later in the function, hence the UAF.\n\nFix by moving the accesses to btusb data to before the data is free\u0027d."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:07.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/297dbf87989e09af98f81f2bcb938041785557e8"
},
{
"url": "https://git.kernel.org/stable/c/f858f004bc343a7ae9f2533bbb2a3ab27428532f"
},
{
"url": "https://git.kernel.org/stable/c/7a6d1e740220ff9dfcb6a8c994d6ba49e76db198"
},
{
"url": "https://git.kernel.org/stable/c/5dc00065a0496c36694afe11e52a5bc64524a9b8"
},
{
"url": "https://git.kernel.org/stable/c/1c28c1e1522c773a94e26950ffb145e88cd9834b"
},
{
"url": "https://git.kernel.org/stable/c/95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d"
},
{
"url": "https://git.kernel.org/stable/c/a2610ecd9fd5708be8997ca8f033e4200c0bb6af"
},
{
"url": "https://git.kernel.org/stable/c/23d22f2f71768034d6ef86168213843fc49bf550"
}
],
"title": "Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40283",
"datePublished": "2025-12-06T21:51:07.409Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:07.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-40283\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-06T22:15:56.393\",\"lastModified\":\"2025-12-06T22:15:56.393\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF\\n\\nThere is a KASAN: slab-use-after-free read in btusb_disconnect().\\nCalling \\\"usb_driver_release_interface(\u0026btusb_driver, data-\u003eintf)\\\" will\\nfree the btusb data associated with the interface. The same data is\\nthen used later in the function, hence the UAF.\\n\\nFix by moving the accesses to btusb data to before the data is free\u0027d.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1c28c1e1522c773a94e26950ffb145e88cd9834b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/23d22f2f71768034d6ef86168213843fc49bf550\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/297dbf87989e09af98f81f2bcb938041785557e8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5dc00065a0496c36694afe11e52a5bc64524a9b8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7a6d1e740220ff9dfcb6a8c994d6ba49e76db198\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a2610ecd9fd5708be8997ca8f033e4200c0bb6af\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f858f004bc343a7ae9f2533bbb2a3ab27428532f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…