CVE-2025-39861

Summary

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: vhci: Prevent use-after-free by removing debugfs files early

Move the creation of debugfs files into a dedicated function, and ensure they are explicitly removed during vhci_release(), before associated data structures are freed.

Previously, debugfs files such as "force_suspend", "force_wakeup", and others were created under hdev->debugfs but not removed in vhci_release(). Since vhci_release() frees the backing vhci_data structure, any access to these files after release would result in use-after-free errors.

Although hdev->debugfs is later freed in hci_release_dev(), user can access files after vhci_data is freed but before hdev->debugfs is released.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxab4e4380d4e158486e595013a2635190e07e28ce < bd75eba88e88d7b896b0c737b02a74a12afc235faffected
LinuxLinuxab4e4380d4e158486e595013a2635190e07e28ce < 1503756fffe76d5aea2371a4b8dee20c3577bcfdaffected
LinuxLinuxab4e4380d4e158486e595013a2635190e07e28ce < 7cc08f2f127b9a66f46ea918e34353811a7cb378affected
LinuxLinuxab4e4380d4e158486e595013a2635190e07e28ce < 28010791193a4503f054e8d69a950ef815deb539affected
LinuxLinux6.4affected
LinuxLinux0 < 6.4unaffected
LinuxLinux6.6.105 <= 6.6.*unaffected
LinuxLinux6.12.46 <= 6.12.*unaffected
LinuxLinux6.16.6 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References