CVE-2025-39863— wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
Affected Version Matrix 12
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 61730d4dfffc2cc9d3a49fad87633008105c18ba< ae58f70bde0433f27ef4b388ab50634736607bf6 | affected |
61730d4dfffc2cc9d3a49fad87633008105c18ba< f1150153c4e5940fe49ab51136343c5b4fe49d63 | affected | ||
61730d4dfffc2cc9d3a49fad87633008105c18ba< 3e789f8475f6c857c88de5c5bf4b24b11a477dd7 | affected | ||
61730d4dfffc2cc9d3a49fad87633008105c18ba< 2f6fbc8e04ca1d1d5c560be694199f847229c625 | affected | ||
61730d4dfffc2cc9d3a49fad87633008105c18ba< 9cb83d4be0b9b697eae93d321e0da999f9cdfcfc | affected | ||
3.10 | affected | ||
< 3.10 | unaffected | ||
6.1.167≤ 6.1.* | unaffected | ||
| … +4 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-39863
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work The brcmf_btcoex_detach() only shuts down the btcoex timer, if the flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which runs as timer handler, sets timer_on to false. This creates critical race conditions: 1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc() is executing, it may observe timer_on as false and skip the call to timer_shutdown_sync(). 2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info worker after the cancel_work_sync() has been executed, resulting in use-after-free bugs. The use-after-free bugs occur in two distinct scenarios, depending on the timing of when the brcmf_btcoex_info struct is freed relative to the execution of its worker thread. Scenario 1: Freed before the worker is scheduled The brcmf_btcoex_info is deallocated before the worker is scheduled. A race condition can occur when schedule_work(&bt_local->work) is called after the target memory has been freed. The sequence of events is detailed below: CPU0 | CPU1 brcmf_btcoex_detach | brcmf_btcoex_timerfunc | bt_local->timer_on = false; if (cfg->btcoex->timer_on) | ... | cancel_work_sync(); | ... | kfree(cfg->btcoex); // FREE | | schedule_work(&bt_local->work); // USE Scenario 2: Freed after the worker is scheduled The brcmf_btcoex_info is freed after the worker has been scheduled but before or during its execution. In this case, statements within the brcmf_btcoex_handler() — such as the container_of macro and subsequent dereferences of the brcmf_btcoex_info object will cause a use-after-free access. The following timeline illustrates this scenario: CPU0 | CPU1 brcmf_btcoex_detach | brcmf_btcoex_timerfunc | bt_local->timer_on = false; if (cfg->btcoex->timer_on) | ... | cancel_work_sync(); | ... | schedule_work(); // Reschedule | kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker /* | btci = container_of(....); // USE The kfree() above could | ... also occur at any point | btci-> // USE during the worker's execution| */ | To resolve the race conditions, drop the conditional check and call timer_shutdown_sync() directly. It can deactivate the timer reliably, regardless of its current state. Once stopped, the timer_on state is then set to false.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于brcmf_btcoex_info工作线程在取消后可能被重新调度,导致释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-39863
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-39863
请登录查看更多情报信息。
Patch · 1
Same Patch Batch · Linux · 2025-09-19 · 30 CVEs total
| CVE-2025-39852 | net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 | |
| CVE-2025-39837 | platform/x86: asus-wmi: Fix racy registrations | |
| CVE-2025-39838 | cifs: prevent NULL pointer dereference in UTF16 conversion | |
| CVE-2025-39839 | batman-adv: fix OOB read/write in network-coding decode | |
| CVE-2025-39840 | audit: fix out-of-bounds read in audit_compare_dname_path() | |
| CVE-2025-39841 | scsi: lpfc: Fix buffer free/clear order in deferred receive path | |
| CVE-2025-39842 | ocfs2: prevent release journal inode after journal shutdown | |
| CVE-2025-39844 | mm: move page table sync declarations to linux/pgtable.h | |
| CVE-2025-39843 | mm: slub: avoid wake up kswapd in set_track_prepare | |
| CVE-2025-39845 | x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() | |
| CVE-2025-39846 | pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() | |
| CVE-2025-39847 | ppp: fix memory leak in pad_compress_skb | |
| CVE-2025-39848 | ax25: properly unshare skbs in ax25_kiss_rcv() | |
| CVE-2025-39849 | wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() | |
| CVE-2025-39850 | vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects | |
| CVE-2025-39866 | fs: writeback: fix use-after-free in __mark_inode_dirty() | |
| CVE-2025-39851 | vxlan: Fix NPD when refreshing an FDB entry with a nexthop object | |
| CVE-2025-39853 | i40e: Fix potential invalid access when MAC list is empty | |
| CVE-2025-39854 | ice: fix NULL access of tx->in_use in ice_ll_ts_intr | |
| CVE-2025-39856 | net: ethernet: ti: am65-cpsw-nuss: Fix null pointer dereference for ndev |
Showing top 20 of 30 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43502
net/rds: handle zerocopy send cleanup before the message is - CVE-2026-43501
ipv6: rpl: reserve mac_len headroom when recompressed SRH gr - CVE-2026-43498
accel/ivpu: Disallow re-exporting imported GEM objects - CVE-2026-43499
rtmutex: Use waiter::task instead of current in remove_waite - CVE-2026-43497
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-aft
Same vendor: Linux
- CVE-2026-43502
net/rds: handle zerocopy send cleanup before the message is - CVE-2026-43501
ipv6: rpl: reserve mac_len headroom when recompressed SRH gr - CVE-2026-43498
accel/ivpu: Disallow re-exporting imported GEM objects - CVE-2026-43499
rtmutex: Use waiter::task instead of current in remove_waite - CVE-2026-43497
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-aft
V. Comments for CVE-2025-39863
No comments yet