{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38592","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.026Z","datePublished":"2025-08-19T17:03:18.229Z","dateUpdated":"2026-05-11T21:31:13.780Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:31:13.780Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv\n\nCurrently both dev_coredumpv and skb_put_data in hci_devcd_dump use\nhdev->dump.head. However, dev_coredumpv can free the buffer. From\ndev_coredumpm_timeout documentation, which is used by dev_coredumpv:\n\n    > Creates a new device coredump for the given device. If a previous one hasn't\n    > been read yet, the new coredump is discarded. The data lifetime is determined\n    > by the device coredump framework and when it is no longer needed the @free\n    > function will be called to free the data.\n\nIf the data has not been read by the userspace yet, dev_coredumpv will\ndiscard new buffer, freeing hdev->dump.head. This leads to\nvmalloc-out-of-bounds error when skb_put_data tries to access\nhdev->dump.head.\n\nA crash report from syzbot illustrates this:\n\n    ==================================================================\n    BUG: KASAN: vmalloc-out-of-bounds in skb_put_data\n    include/linux/skbuff.h:2752 [inline]\n    BUG: KASAN: vmalloc-out-of-bounds in hci_devcd_dump+0x142/0x240\n    net/bluetooth/coredump.c:258\n    Read of size 140 at addr ffffc90004ed5000 by task kworker/u9:2/5844\n\n    CPU: 1 UID: 0 PID: 5844 Comm: kworker/u9:2 Not tainted\n    6.14.0-syzkaller-10892-g4e82c87058f4 #0 PREEMPT(full)\n    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS\n    Google 02/12/2025\n    Workqueue: hci0 hci_devcd_timeout\n    Call Trace:\n     <TASK>\n     __dump_stack lib/dump_stack.c:94 [inline]\n     dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n     print_address_description mm/kasan/report.c:408 [inline]\n     print_report+0xc3/0x670 mm/kasan/report.c:521\n     kasan_report+0xe0/0x110 mm/kasan/report.c:634\n     check_region_inline mm/kasan/generic.c:183 [inline]\n     kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\n     __asan_memcpy+0x23/0x60 mm/kasan/shadow.c:105\n     skb_put_data include/linux/skbuff.h:2752 [inline]\n     hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258\n     hci_devcd_timeout+0xb5/0x2e0 net/bluetooth/coredump.c:413\n     process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238\n     process_scheduled_works kernel/workqueue.c:3319 [inline]\n     worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400\n     kthread+0x3c2/0x780 kernel/kthread.c:464\n     ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153\n     ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n     </TASK>\n\n    The buggy address ffffc90004ed5000 belongs to a vmalloc virtual mapping\n    Memory state around the buggy address:\n     ffffc90004ed4f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n     ffffc90004ed4f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n    >ffffc90004ed5000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n                       ^\n     ffffc90004ed5080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n     ffffc90004ed5100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n    ==================================================================\n\nTo avoid this issue, reorder dev_coredumpv to be called after\nskb_put_data that does not free the data."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/coredump.c"],"versions":[{"version":"b257e02ecc46f8561d8bd88943164a10c9e90a80","lessThan":"efd55f6a59449f8d4e4953f12c177aa902b7451f","status":"affected","versionType":"git"},{"version":"b257e02ecc46f8561d8bd88943164a10c9e90a80","lessThan":"8c021ad797f9171d015cf0a932a3fbe5232190f5","status":"affected","versionType":"git"},{"version":"b257e02ecc46f8561d8bd88943164a10c9e90a80","lessThan":"7af4d7b53502286c6cf946d397ab183e76d14820","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/coredump.c"],"versions":[{"version":"6.15","status":"affected"},{"version":"0","lessThan":"6.15","status":"unaffected","versionType":"semver"},{"version":"6.15.10","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16.1","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"6.15.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"6.16.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.15","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/efd55f6a59449f8d4e4953f12c177aa902b7451f"},{"url":"https://git.kernel.org/stable/c/8c021ad797f9171d015cf0a932a3fbe5232190f5"},{"url":"https://git.kernel.org/stable/c/7af4d7b53502286c6cf946d397ab183e76d14820"}],"title":"Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv","x_generator":{"engine":"bippy-1.2.0"}}}}