CVE-2025-40213 in Linux
Summary
by MITRE • 11/24/2025
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete
There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array.
Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove.
Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds.
As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/24/2026
The vulnerability CVE-2025-40213 represents a critical stack buffer overflow issue within the Linux kernel's Bluetooth management subsystem, specifically affecting the set_mesh_sync and set_mesh_complete functions. This flaw resides in the kernel's Bluetooth management interface implementation where improper handling of flexible arrays leads to memory corruption and system instability. The issue manifests through two distinct crash scenarios that demonstrate fundamental flaws in memory management and list manipulation within the kernel's Bluetooth subsystem. The first vulnerability occurs in set_mesh_sync where a stack-based flexible array is improperly declared, resulting in a memcpy operation that accesses memory outside the allocated stack bounds. This type of out-of-bounds memory access constitutes a classic stack overflow condition that can be exploited to execute arbitrary code or cause system crashes. The second vulnerability in set_mesh_complete involves a double list deletion scenario where the mgmt_pending_valid and mgmt_pending_remove functions both attempt to remove the same list element, creating a use-after-free condition that can lead to memory corruption and system instability.
The technical root cause of this vulnerability stems from improper memory management practices within the kernel's Bluetooth mesh synchronization implementation. The KASAN (Kernel Address Sanitizer) detection reveals that the flexible array declaration in set_mesh_sync uses an incorrect approach that violates kernel memory safety guidelines. This improper declaration allows the memcpy operation to access stack memory beyond the intended array boundaries, creating a potential exploitation vector for attackers. The use of DEFINE_FLEX for proper flexible array declaration would resolve the stack bounds issue by ensuring correct memory allocation and access patterns. Additionally, the double list deletion problem in set_mesh_complete demonstrates poor list management where the same command structure gets removed from the pending list twice, which can corrupt kernel data structures and lead to unpredictable behavior. This type of vulnerability falls under CWE-121 Stack-based Buffer Overflow and CWE-415 Double Free, both of which are well-documented in the Common Weakness Enumeration catalog and represent serious security concerns in kernel space operations.
The operational impact of CVE-2025-40213 extends beyond simple system crashes to potentially enable privilege escalation and denial of service attacks within Bluetooth-enabled systems. When exploited, these vulnerabilities can cause the Linux kernel to crash or behave unpredictably during Bluetooth mesh synchronization operations, which are critical for mesh networking functionality in IoT devices, industrial automation systems, and mobile devices. The vulnerability affects systems running Linux kernel versions that include the problematic Bluetooth management code, potentially impacting a wide range of devices from smartphones and laptops to embedded systems and industrial control equipment. The attack surface is particularly concerning given that Bluetooth mesh networking is increasingly deployed in security-critical applications where system stability and memory integrity are paramount. From an ATT&CK framework perspective, this vulnerability aligns with techniques involving privilege escalation and system compromise through kernel-level memory corruption, potentially enabling adversaries to gain elevated privileges or disrupt system operations.
Mitigation strategies for CVE-2025-40213 focus on applying the kernel patches that properly implement flexible array declarations and correct list manipulation patterns. The fix involves replacing the incorrect flexible array declaration with DEFINE_FLEX macro usage to ensure proper stack allocation and bounds checking. Additionally, the patch modifies the set_mesh_complete function to use mgmt_pending_free instead of attempting double list deletion, which prevents the use-after-free condition. System administrators should prioritize applying the latest kernel updates that contain these fixes, particularly for devices running Bluetooth mesh networking functionality. Organizations should also implement monitoring for unusual Bluetooth-related system crashes or memory corruption events that might indicate exploitation attempts. The vulnerability highlights the importance of kernel memory safety practices and proper validation of flexible array usage in kernel code, as demonstrated by the KASAN detection mechanism that identified the stack bounds violation. Regular kernel security audits and static analysis of kernel code should be conducted to identify similar memory management issues that could lead to similar vulnerabilities in other subsystems.