CVE-2025-21969 in Linuxinfo

Summary

by MITRE • 04/01/2025

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd

After the hci sync command releases l2cap_conn, the hci receive data work queue references the released l2cap_conn when sending to the upper layer. Add hci dev lock to the hci receive data work queue to synchronize the two.

[1]
BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 Read of size 8 at addr ffff8880271a4000 by task kworker/u9:2/5837

CPU: 0 UID: 0 PID: 5837 Comm: kworker/u9:2 Not tainted 6.13.0-rc5-syzkaller-00163-gab75170520d4 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci1 hci_rx_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline]
l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5502 [inline]
l2cap_sig_channel net/bluetooth/l2cap_core.c:5538 [inline]
l2cap_recv_frame+0x221f/0x10db0 net/bluetooth/l2cap_core.c:6817 hci_acldata_packet net/bluetooth/hci_core.c:3797 [inline]
hci_rx_work+0x508/0xdb0 net/bluetooth/hci_core.c:4040 process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Allocated by task 5837: kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
l2cap_conn_add+0xa9/0x8e0 net/bluetooth/l2cap_core.c:6860 l2cap_connect_cfm+0x115/0x1090 net/bluetooth/l2cap_core.c:7239 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline]
hci_remote_features_evt+0x68e/0xac0 net/bluetooth/hci_event.c:3726 hci_event_func net/bluetooth/hci_event.c:7473 [inline]
hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7525 hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4035 process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 54: kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2353 [inline]
slab_free mm/slub.c:4613 [inline]
kfree+0x196/0x430 mm/slub.c:4761 l2cap_connect_cfm+0xcc/0x1090 net/bluetooth/l2cap_core.c:7235 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline]
hci_conn_failed+0x287/0x400 net/bluetooth/hci_conn.c:1266 hci_abort_conn_sync+0x56c/0x11f0 net/bluetooth/hci_sync.c:5603 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr ---truncated---

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/01/2026

The vulnerability described in CVE-2025-21969 pertains to a slab-use-after-free condition in the Linux kernel's Bluetooth implementation, specifically within the L2CAP (Logical Link Control and Adaptation Protocol) layer. This flaw occurs when a Bluetooth connection is terminated and the associated l2cap_conn structure is freed, but subsequent asynchronous work items in the HCI (Host Controller Interface) receive data work queue still attempt to access the freed memory. The issue manifests as a use-after-free error during the execution of l2cap_send_cmd, where a read operation attempts to access a memory region that was previously deallocated. This scenario presents a critical security risk, as it could potentially be exploited to achieve arbitrary code execution or cause system instability through denial of service.

The root cause lies in the lack of proper synchronization between the hci sync command that frees the l2cap_conn structure and the hci receive data work queue that processes incoming Bluetooth data. When hci_conn_failed is invoked, it triggers the freeing of the l2cap_conn object, but the hci_rx_work function continues to reference this now-invalid memory location. The kernel's KASAN (Kernel Address Sanitizer) tool detects this violation by tracking memory allocation and deallocation patterns, identifying that the memory at address ffff8880271a4000 was freed by task 54 but later accessed by task 5837 in the l2cap_send_cmd function. This race condition between asynchronous work processing and resource deallocation is a classic example of improper synchronization in kernel-level multithreading environments.

The operational impact of this vulnerability extends beyond simple system instability, potentially enabling privilege escalation or persistent denial of service attacks against Bluetooth-enabled systems. An attacker could leverage this condition to corrupt kernel memory structures, leading to system crashes or, in more sophisticated scenarios, gain elevated privileges within the kernel space. The vulnerability affects systems running Linux kernel versions that include the affected Bluetooth stack components, particularly those with active Bluetooth connectivity and concurrent work queue processing. The flaw is particularly concerning in embedded systems, IoT devices, or servers that rely on Bluetooth for communication protocols, where such a condition could be exploited to compromise the entire system or disrupt critical services. This vulnerability aligns with CWE-416 (Use After Free) and represents a failure to implement proper locking mechanisms between concurrent kernel threads accessing shared resources.

The recommended mitigation strategy involves implementing proper synchronization mechanisms using the hci dev lock to ensure that the hci receive data work queue waits for any ongoing operations on the freed l2cap_conn before proceeding. This approach aligns with best practices in kernel security and follows the ATT&CK framework's concept of privilege escalation through kernel vulnerabilities. The fix requires modifications to the Bluetooth subsystem to ensure that l2cap_conn structures are not accessed after being freed, typically through the introduction of reference counting or locking mechanisms that prevent concurrent access to deallocated memory. System administrators should update to kernel versions that include the patched Bluetooth implementation, and organizations should conduct thorough testing to ensure that the fix does not introduce performance regressions or compatibility issues with existing Bluetooth applications and services.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00180

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!