PT-2025-49447 · Linux+4 · Linux Kernel+4

Published

2025-12-08

·

Updated

2026-05-07

·

CVE-2025-40318

CVSS v2.0

4.6

Medium

VectorAV:L/AC:L/Au:S/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description A race condition exists within the Bluetooth implementation in the Linux kernel, specifically in the hci cmd sync dequeue once() function. This function performs a lookup and cancellation of an entry in two separate lock sections. Simultaneously, the hci cmd sync work() function can also delete the same entry, potentially leading to a double list del() operation and a Use-After-Free (UAF) condition. The issue is addressed by holding the cmd sync work lock across both the lookup and cancellation phases, preventing concurrent removal of the entry.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Use After Free

Weakness Enumeration

CWE-416

Related Identifiers

ALSA-2026:1690
ALSA-2026:2212
BDU:2026-02833
CVE-2025-40318
ECHO-2CD5-8A0A-5FC1
MGASA-2026-0017
MGASA-2026-0018
OESA-2026-1759
OESA-2026-1760
OESA-2026-1761
OPENSUSE-SU-2026:20145-1
RHSA-2026:1194
RHSA-2026:1690
RHSA-2026:1727
RHSA-2026:2212
SUSE-SU-2026:0278-1
SUSE-SU-2026:0281-1
SUSE-SU-2026:0293-1
SUSE-SU-2026:0315-1
SUSE-SU-2026:20207-1
SUSE-SU-2026:20220-1
SUSE-SU-2026:20228-1
SUSE-SU-2026:20477-1
SUSE-SU-2026:20498-1
SUSE-SU-2026:20845-1
SUSE-SU-2026:20876-1
USN-8029-1
USN-8029-2
USN-8029-3
USN-8030-1
USN-8048-1
USN-8095-1
USN-8095-2
USN-8095-3
USN-8095-4
USN-8095-5
USN-8100-1
USN-8125-1
USN-8126-1
USN-8165-1
USN-8261-1

Affected Products

Debian
Linuxmint
Linux Kernel
Rocky Linux
Ubuntu