CVE-2025-21969

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.13.0-rc5

Description A slab-use-after-free read vulnerability has been identified in the Linux kernel's Bluetooth L2CAP implementation. The issue occurs when the hci sync command releases l2cap conn, and the hci receive data work queue references the released l2cap conn when sending to the upper layer. This can be resolved by adding an hci dev lock to the hci receive data work queue to synchronize the two. The vulnerability can cause a read of size 8 at addr ffff8880271a4000 by task kworker/u9:2/5837.

Recommendations To resolve this issue, update the Linux kernel to a version that includes the fix for the slab-use-after-free read vulnerability in the Bluetooth L2CAP implementation. As a temporary workaround, consider disabling the Bluetooth L2CAP functionality until a patch is available. Restrict access to the vulnerable l2cap send cmd function to minimize the risk of exploitation. Avoid using the l2cap conn variable in the affected API endpoint until the issue is resolved.