Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-39860— Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()

EPSS 0.02% · P5

Affected Version Matrix 21

VendorProductVersion RangeStatus
LinuxLinuxa2da00d1ea1abfb04f846638e210b5b5166e3c9c< 964cbb198f9c46c2b2358cd1faffc04c1e8248cfaffected
06f87c96216bc5cd1094c23492274f77f1d5dd3b< 83e1d9892ef51785cf0760b7681436760dda435aaffected
fbe5a2fed8156cc19eb3b956602b0a1dd46a302d< 47f6090bcf75c369695d21c3f179db8a56bbbd49affected
29fac18499332211b2615ade356e2bd8b3269f98< 2ca99fc3512a8074de20ee52a87b492dfcc41a4daffected
1728137b33c00d5a2b5110ed7aafb42e7c32e4a1< 6077d16b5c0f65d571eee709de2f0541fb5ef0caaffected
1728137b33c00d5a2b5110ed7aafb42e7c32e4a1< 306b0991413b482dbf5585b423022123bb505966affected
1728137b33c00d5a2b5110ed7aafb42e7c32e4a1< 3dff390f55ccd9ce12e91233849769b5312180c2affected
1728137b33c00d5a2b5110ed7aafb42e7c32e4a1< 862c628108562d8c7a516a900034823b381d3cbaaffected
… +13 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-39860

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() syzbot reported the splat below without a repro. In the splat, a single thread calling bt_accept_dequeue() freed sk and touched it after that. The root cause would be the racy l2cap_sock_cleanup_listen() call added by the cited commit. bt_accept_dequeue() is called under lock_sock() except for l2cap_sock_release(). Two threads could see the same socket during the list iteration in bt_accept_dequeue(): CPU1 CPU2 (close()) ---- ---- sock_hold(sk) sock_hold(sk); lock_sock(sk) <-- block close() sock_put(sk) bt_accept_unlink(sk) sock_put(sk) <-- refcnt by bt_accept_enqueue() release_sock(sk) lock_sock(sk) sock_put(sk) bt_accept_unlink(sk) sock_put(sk) <-- last refcnt bt_accept_unlink(sk) <-- UAF Depending on the timing, the other thread could show up in the "Freed by task" part. Let's call l2cap_sock_cleanup_listen() under lock_sock() in l2cap_sock_release(). [0]: BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995 CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 spin_lock_bh include/linux/spinlock.h:356 [inline] release_sock+0x21/0x220 net/core/sock.c:3746 bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312 l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 __sock_release+0xb3/0x270 net/socket.c:649 sock_close+0x1c/0x30 net/socket.c:1439 __fput+0x3ff/0xb70 fs/file_table.c:468 task_work_run+0x14d/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2accf8ebe9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490 </TASK> Allocated by task 5326: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4365 [inline] __kmalloc_nopro ---truncated---
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于l2cap_sock_cleanup_listen函数中存在释放后重用问题,可能导致内存损坏。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux a2da00d1ea1abfb04f846638e210b5b5166e3c9c ~ 964cbb198f9c46c2b2358cd1faffc04c1e8248cf -
LinuxLinux 6.5 -

II. Public POCs for CVE-2025-39860

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-39860

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-09-19 · 30 CVEs total

CVE-2025-39852net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6
CVE-2025-39837platform/x86: asus-wmi: Fix racy registrations
CVE-2025-39838cifs: prevent NULL pointer dereference in UTF16 conversion
CVE-2025-39839batman-adv: fix OOB read/write in network-coding decode
CVE-2025-39840audit: fix out-of-bounds read in audit_compare_dname_path()
CVE-2025-39841scsi: lpfc: Fix buffer free/clear order in deferred receive path
CVE-2025-39842ocfs2: prevent release journal inode after journal shutdown
CVE-2025-39844mm: move page table sync declarations to linux/pgtable.h
CVE-2025-39843mm: slub: avoid wake up kswapd in set_track_prepare
CVE-2025-39845x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()
CVE-2025-39846pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()
CVE-2025-39847ppp: fix memory leak in pad_compress_skb
CVE-2025-39848ax25: properly unshare skbs in ax25_kiss_rcv()
CVE-2025-39849wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()
CVE-2025-39850vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects
CVE-2025-39866fs: writeback: fix use-after-free in __mark_inode_dirty()
CVE-2025-39851vxlan: Fix NPD when refreshing an FDB entry with a nexthop object
CVE-2025-39853i40e: Fix potential invalid access when MAC list is empty
CVE-2025-39854ice: fix NULL access of tx->in_use in ice_ll_ts_intr
CVE-2025-39856net: ethernet: ti: am65-cpsw-nuss: Fix null pointer dereference for ndev

Showing top 20 of 30 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2025-39860

No comments yet

Leave a comment