CVE-2025-23139 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_uart: Fix another race during initialization
Do not set 'HCI_UART_PROTO_READY' before call 'hci_uart_register_dev()'. Possible race is when someone calls 'hci_tty_uart_close()' after this bit is set, but 'hci_uart_register_dev()' wasn't done. This leads to access to uninitialized fields. To fix it let's set this bit after device was registered (as before patch c411c62cc133) and to fix previous problem let's add one more bit in addition to 'HCI_UART_PROTO_READY' which allows to perform power up without original bit set (pls see commit c411c62cc133).
Crash backtrace from syzbot report:
RIP: 0010:skb_queue_empty_lockless include/linux/skbuff.h:1887 [inline]
RIP: 0010:skb_queue_purge_reason+0x6d/0x140 net/core/skbuff.c:3936
Call Trace: skb_queue_purge include/linux/skbuff.h:3364 [inline]
mrvl_close+0x2f/0x90 drivers/bluetooth/hci_mrvl.c:100 hci_uart_tty_close+0xb6/0x120 drivers/bluetooth/hci_ldisc.c:557 tty_ldisc_close drivers/tty/tty_ldisc.c:455 [inline]
tty_ldisc_kill+0x66/0xc0 drivers/tty/tty_ldisc.c:613 tty_ldisc_release+0xc9/0x120 drivers/tty/tty_ldisc.c:781 tty_release_struct+0x10/0x80 drivers/tty/tty_io.c:1690 tty_release+0x4ef/0x640 drivers/tty/tty_io.c:1861 __fput+0x86/0x2a0 fs/file_table.c:450 task_work_run+0x82/0xb0 kernel/task_work.c:239 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xa3/0x1b0 kernel/entry/common.c:218 do_syscall_64+0x9a/0x190 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/15/2026
The vulnerability CVE-2025-23139 addresses a race condition in the Linux kernel's Bluetooth subsystem, specifically within the hci_uart driver component that handles UART-based Bluetooth communication. This flaw exists in the initialization sequence of Bluetooth UART devices and stems from improper ordering of state flag setting relative to device registration operations. The issue manifests when the HCI_UART_PROTO_READY flag is set before hci_uart_register_dev() completes, creating a window where concurrent operations can access uninitialized device structures. Such a scenario leads to memory corruption and potential system crashes as demonstrated by the syzbot crash report showing execution paths through skb_queue_purge and related networking stack functions. The vulnerability is classified under CWE-362, which represents a race condition in kernel space, and aligns with ATT&CK technique T1059.003 for execution through kernel modules.
The technical implementation flaw occurs in the Bluetooth UART driver initialization logic where the HCI_UART_PROTO_READY flag is prematurely set, allowing other kernel threads to proceed with operations that assume the device is fully initialized. This race condition enables a scenario where hci_tty_uart_close() can be invoked after the protocol ready flag is set but before device registration completes, resulting in access to uninitialized memory fields. The fix implemented involves reordering the flag setting to occur after device registration, following the pattern established in commit c411c62cc133, while also introducing an additional bit to manage power-up operations without requiring the original protocol ready flag to be set. This dual approach ensures proper synchronization between device initialization phases and prevents concurrent access to partially constructed device structures.
The operational impact of this vulnerability extends beyond simple system instability to potentially enable privilege escalation or denial of service conditions within systems relying on Bluetooth UART communication. Attackers could exploit this race condition to trigger kernel memory corruption, leading to system crashes or potentially allowing malicious code execution in kernel space. The vulnerability affects systems running Linux kernels with Bluetooth UART support, particularly those using UART-based Bluetooth adapters or embedded Bluetooth modules. The crash backtrace indicates that the issue occurs during tty_ldisc_close operations, suggesting that terminal line discipline cleanup routines attempt to access uninitialized device buffers when the Bluetooth device state is inconsistent.
Mitigation strategies for this vulnerability include applying the kernel patch that reorders the flag setting operations and implements the additional bit management approach. System administrators should prioritize updating to kernel versions containing the fix, as the vulnerability can be exploited by malicious actors with local access to the system. Organizations should also implement monitoring for unusual Bluetooth device behavior or kernel crashes that might indicate exploitation attempts. The fix aligns with security best practices for kernel development by ensuring proper synchronization primitives are used during device initialization and by preventing premature flag setting that could lead to inconsistent device states. This vulnerability demonstrates the importance of careful synchronization in kernel drivers, particularly for hardware interfaces where timing-sensitive operations must maintain consistent state across concurrent access paths.