{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38593","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.028Z","datePublished":"2025-08-19T17:03:18.960Z","dateUpdated":"2026-05-11T21:31:15.126Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:31:15.126Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()'\n\nFunction 'hci_discovery_filter_clear()' frees 'uuids' array and then\nsets it to NULL. There is a tiny chance of the following race:\n\n'hci_cmd_sync_work()'\n\n 'update_passive_scan_sync()'\n\n   'hci_update_passive_scan_sync()'\n\n     'hci_discovery_filter_clear()'\n       kfree(uuids);\n\n       <-------------------------preempted-------------------------------->\n                                           'start_service_discovery()'\n\n                                             'hci_discovery_filter_clear()'\n                                               kfree(uuids); // DOUBLE FREE\n\n       <-------------------------preempted-------------------------------->\n\n      uuids = NULL;\n\nTo fix it let's add locking around 'kfree()' call and NULL pointer\nassignment. Otherwise the following backtrace fires:\n\n[ ] ------------[ cut here ]------------\n[ ] kernel BUG at mm/slub.c:547!\n[ ] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n[ ] CPU: 3 UID: 0 PID: 246 Comm: bluetoothd Tainted: G O 6.12.19-kernel #1\n[ ] Tainted: [O]=OOT_MODULE\n[ ] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ ] pc : __slab_free+0xf8/0x348\n[ ] lr : __slab_free+0x48/0x348\n...\n[ ] Call trace:\n[ ]  __slab_free+0xf8/0x348\n[ ]  kfree+0x164/0x27c\n[ ]  start_service_discovery+0x1d0/0x2c0\n[ ]  hci_sock_sendmsg+0x518/0x924\n[ ]  __sock_sendmsg+0x54/0x60\n[ ]  sock_write_iter+0x98/0xf8\n[ ]  do_iter_readv_writev+0xe4/0x1c8\n[ ]  vfs_writev+0x128/0x2b0\n[ ]  do_writev+0xfc/0x118\n[ ]  __arm64_sys_writev+0x20/0x2c\n[ ]  invoke_syscall+0x68/0xf0\n[ ]  el0_svc_common.constprop.0+0x40/0xe0\n[ ]  do_el0_svc+0x1c/0x28\n[ ]  el0_svc+0x30/0xd0\n[ ]  el0t_64_sync_handler+0x100/0x12c\n[ ]  el0t_64_sync+0x194/0x198\n[ ] Code: 8b0002e6 eb17031f 54fffbe1 d503201f (d4210000)\n[ ] ---[ end trace 0000000000000000 ]---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/bluetooth/hci_core.h"],"versions":[{"version":"ad383c2c65a5baf16e334cd40a013cc302176891","lessThan":"86f3dcd1f331cfd4fd7ec88906955134ec51afbe","status":"affected","versionType":"git"},{"version":"ad383c2c65a5baf16e334cd40a013cc302176891","lessThan":"7ce9bb0b95fc280e9212b8922590c492ca1d9c39","status":"affected","versionType":"git"},{"version":"ad383c2c65a5baf16e334cd40a013cc302176891","lessThan":"16852eccbdfaf41a666705e3f8be55cf2864c5ca","status":"affected","versionType":"git"},{"version":"ad383c2c65a5baf16e334cd40a013cc302176891","lessThan":"a351ff6b8ecca4229afaa0d98042bead8de64799","status":"affected","versionType":"git"},{"version":"ad383c2c65a5baf16e334cd40a013cc302176891","lessThan":"f8069f34c4c976786ded97498012225af87435d7","status":"affected","versionType":"git"},{"version":"ad383c2c65a5baf16e334cd40a013cc302176891","lessThan":"2935e556850e9c94d7a00adf14d3cd7fe406ac03","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/bluetooth/hci_core.h"],"versions":[{"version":"5.17","status":"affected"},{"version":"0","lessThan":"5.17","status":"unaffected","versionType":"semver"},{"version":"6.1.159","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.117","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.42","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.10","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16.1","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"6.1.159"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"6.6.117"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"6.12.42"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"6.15.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"6.16.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/86f3dcd1f331cfd4fd7ec88906955134ec51afbe"},{"url":"https://git.kernel.org/stable/c/7ce9bb0b95fc280e9212b8922590c492ca1d9c39"},{"url":"https://git.kernel.org/stable/c/16852eccbdfaf41a666705e3f8be55cf2864c5ca"},{"url":"https://git.kernel.org/stable/c/a351ff6b8ecca4229afaa0d98042bead8de64799"},{"url":"https://git.kernel.org/stable/c/f8069f34c4c976786ded97498012225af87435d7"},{"url":"https://git.kernel.org/stable/c/2935e556850e9c94d7a00adf14d3cd7fe406ac03"}],"title":"Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()'","x_generator":{"engine":"bippy-1.2.0"}}}}