CVE-2025-68305
- Source
- https://cve.org/CVERecord?id=CVE-2025-68305
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68305.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-68305
- Downstream
- Related
- Published
- 2025-12-16T15:06:22.812Z
- Modified
- 2026-03-13T04:05:37.778777Z
- Summary
- Bluetooth: hci_sock: Prevent race in socket write iter and sock bind
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sock: Prevent race in socket write iter and sock bind
There is a potential race condition between sock bind and socket write iter. bind may free the same cmd via mgmt_pending before write iter sends the cmd, just as syzbot reported in UAF[1].
Here we use hcidevlock to synchronize the two, thereby avoiding the UAF mentioned in [1].
[1] syzbot reported: BUG: KASAN: slab-use-after-free in mgmtpendingremove+0x3b/0x210 net/bluetooth/mgmtutil.c:316 Read of size 8 at addr ffff888077164818 by task syz.0.17/5989 Call Trace: mgmtpendingremove+0x3b/0x210 net/bluetooth/mgmtutil.c:316 setlinksecurity+0x5c2/0x710 net/bluetooth/mgmt.c:1918 hcimgmtcmd+0x9c9/0xef0 net/bluetooth/hcisock.c:1719 hcisocksendmsg+0x6ca/0xef0 net/bluetooth/hcisock.c:1839 socksendmsgnosec net/socket.c:727 [inline] _socksendmsg+0x21c/0x270 net/socket.c:742 sockwriteiter+0x279/0x360 net/socket.c:1195
Allocated by task 5989: mgmtpendingadd+0x35/0x140 net/bluetooth/mgmtutil.c:296 setlinksecurity+0x557/0x710 net/bluetooth/mgmt.c:1910 hcimgmtcmd+0x9c9/0xef0 net/bluetooth/hcisock.c:1719 hcisocksendmsg+0x6ca/0xef0 net/bluetooth/hcisock.c:1839 socksendmsg_nosec net/socket.c:727 [inline] _socksendmsg+0x21c/0x270 net/socket.c:742 sockwriteiter+0x279/0x360 net/socket.c:1195
Freed by task 5991: mgmtpendingfree net/bluetooth/mgmtutil.c:311 [inline] mgmtpendingforeach+0x30d/0x380 net/bluetooth/mgmtutil.c:257 mgmtindexremoved+0x112/0x2f0 net/bluetooth/mgmt.c:9477 hcisockbind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68305.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/69fcb0344bc0dd5b13d7e4e98f8b6bf25a6d4ff7
- https://git.kernel.org/stable/c/89bb613511cc21ed5ba6bddc1c9b9ae9c0dad392
- https://git.kernel.org/stable/c/e90c05fc5bbea956450a05cc3b36b8fa29cf195e
- https://git.kernel.org/stable/c/fe68510fc99bb4b88c9c611f83699749002d515a
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68305.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-68305
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbdd56875c6926d8009914f427df71797693e90d4Fixedfe68510fc99bb4b88c9c611f83699749002d515a
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4e83f2dbb2bf677e614109df24426c4dded472d4Fixede90c05fc5bbea956450a05cc3b36b8fa29cf195e
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced6fe26f694c824b8a4dbf50c635bee1302e3f099cFixed69fcb0344bc0dd5b13d7e4e98f8b6bf25a6d4ff7Fixed89bb613511cc21ed5ba6bddc1c9b9ae9c0dad392
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedd7882db79135c829a922daf3571f33ea1e056ae3