CVE-2025-39863— Linux kernel 安全漏洞
影响版本矩阵 12
| 厂商 | 产品 | 版本范围 | 状态 |
|---|---|---|---|
| Linux | Linux | 61730d4dfffc2cc9d3a49fad87633008105c18ba< ae58f70bde0433f27ef4b388ab50634736607bf6 | affected |
61730d4dfffc2cc9d3a49fad87633008105c18ba< f1150153c4e5940fe49ab51136343c5b4fe49d63 | affected | ||
61730d4dfffc2cc9d3a49fad87633008105c18ba< 3e789f8475f6c857c88de5c5bf4b24b11a477dd7 | affected | ||
61730d4dfffc2cc9d3a49fad87633008105c18ba< 2f6fbc8e04ca1d1d5c560be694199f847229c625 | affected | ||
61730d4dfffc2cc9d3a49fad87633008105c18ba< 9cb83d4be0b9b697eae93d321e0da999f9cdfcfc | affected | ||
3.10 | affected | ||
< 3.10 | unaffected | ||
6.1.167≤ 6.1.* | unaffected | ||
| … +4 条更多 | |||
获取后续新漏洞提醒登录后订阅
一、 漏洞 CVE-2025-39863 基础信息
漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗ 尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work The brcmf_btcoex_detach() only shuts down the btcoex timer, if the flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which runs as timer handler, sets timer_on to false. This creates critical race conditions: 1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc() is executing, it may observe timer_on as false and skip the call to timer_shutdown_sync(). 2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info worker after the cancel_work_sync() has been executed, resulting in use-after-free bugs. The use-after-free bugs occur in two distinct scenarios, depending on the timing of when the brcmf_btcoex_info struct is freed relative to the execution of its worker thread. Scenario 1: Freed before the worker is scheduled The brcmf_btcoex_info is deallocated before the worker is scheduled. A race condition can occur when schedule_work(&bt_local->work) is called after the target memory has been freed. The sequence of events is detailed below: CPU0 | CPU1 brcmf_btcoex_detach | brcmf_btcoex_timerfunc | bt_local->timer_on = false; if (cfg->btcoex->timer_on) | ... | cancel_work_sync(); | ... | kfree(cfg->btcoex); // FREE | | schedule_work(&bt_local->work); // USE Scenario 2: Freed after the worker is scheduled The brcmf_btcoex_info is freed after the worker has been scheduled but before or during its execution. In this case, statements within the brcmf_btcoex_handler() — such as the container_of macro and subsequent dereferences of the brcmf_btcoex_info object will cause a use-after-free access. The following timeline illustrates this scenario: CPU0 | CPU1 brcmf_btcoex_detach | brcmf_btcoex_timerfunc | bt_local->timer_on = false; if (cfg->btcoex->timer_on) | ... | cancel_work_sync(); | ... | schedule_work(); // Reschedule | kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker /* | btci = container_of(....); // USE The kfree() above could | ... also occur at any point | btci-> // USE during the worker's execution| */ | To resolve the race conditions, drop the conditional check and call timer_shutdown_sync() directly. It can deactivate the timer reliably, regardless of its current state. Once stopped, the timer_on state is then set to false.
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
Linux kernel 安全漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于brcmf_btcoex_info工作线程在取消后可能被重新调度,导致释放后重用。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD
受影响产品
二、漏洞 CVE-2025-39863 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|
AI 生成 POC高级
未找到公开 POC。
登录以生成 AI POC三、漏洞 CVE-2025-39863 的情报信息
请登录查看更多情报信息。
补丁 · 1
同批安全公告 · Linux · 2025-09-19 · 共 30 条
| CVE-2025-39852 | Linux kernel 安全漏洞 | |
| CVE-2025-39837 | Linux kernel 安全漏洞 | |
| CVE-2025-39838 | Linux kernel 安全漏洞 | |
| CVE-2025-39839 | Linux kernel 安全漏洞 | |
| CVE-2025-39840 | Linux kernel 安全漏洞 | |
| CVE-2025-39841 | Linux kernel 安全漏洞 | |
| CVE-2025-39842 | Linux kernel 安全漏洞 | |
| CVE-2025-39844 | Linux kernel 安全漏洞 | |
| CVE-2025-39843 | Linux kernel 安全漏洞 | |
| CVE-2025-39845 | Linux kernel 安全漏洞 | |
| CVE-2025-39846 | Linux kernel 安全漏洞 | |
| CVE-2025-39847 | Linux kernel 安全漏洞 | |
| CVE-2025-39848 | Linux kernel 安全漏洞 | |
| CVE-2025-39849 | Linux kernel 安全漏洞 | |
| CVE-2025-39850 | Linux kernel 安全漏洞 | |
| CVE-2025-39866 | Linux kernel 安全漏洞 | |
| CVE-2025-39851 | Linux kernel 安全漏洞 | |
| CVE-2025-39853 | Linux kernel 安全漏洞 | |
| CVE-2025-39854 | Linux kernel 安全漏洞 | |
| CVE-2025-39856 | Linux kernel 安全漏洞 |
显示前 20 条,共 30 条。 查看全部 → →
IV. Related Vulnerabilities
V. Comments for CVE-2025-39863
暂无评论