{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39863","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.143Z","datePublished":"2025-09-19T15:26:33.069Z","dateUpdated":"2026-05-11T21:37:53.934Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:37:53.934Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work\n\nThe brcmf_btcoex_detach() only shuts down the btcoex timer, if the\nflag timer_on is false. However, the brcmf_btcoex_timerfunc(), which\nruns as timer handler, sets timer_on to false. This creates critical\nrace conditions:\n\n1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()\nis executing, it may observe timer_on as false and skip the call to\ntimer_shutdown_sync().\n\n2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info\nworker after the cancel_work_sync() has been executed, resulting in\nuse-after-free bugs.\n\nThe use-after-free bugs occur in two distinct scenarios, depending on\nthe timing of when the brcmf_btcoex_info struct is freed relative to\nthe execution of its worker thread.\n\nScenario 1: Freed before the worker is scheduled\n\nThe brcmf_btcoex_info is deallocated before the worker is scheduled.\nA race condition can occur when schedule_work(&bt_local->work) is\ncalled after the target memory has been freed. The sequence of events\nis detailed below:\n\nCPU0                           | CPU1\nbrcmf_btcoex_detach            | brcmf_btcoex_timerfunc\n                               |   bt_local->timer_on = false;\n  if (cfg->btcoex->timer_on)   |\n    ...                        |\n  cancel_work_sync();          |\n  ...                          |\n  kfree(cfg->btcoex); // FREE  |\n                               |   schedule_work(&bt_local->work); // USE\n\nScenario 2: Freed after the worker is scheduled\n\nThe brcmf_btcoex_info is freed after the worker has been scheduled\nbut before or during its execution. In this case, statements within\nthe brcmf_btcoex_handler() — such as the container_of macro and\nsubsequent dereferences of the brcmf_btcoex_info object will cause\na use-after-free access. The following timeline illustrates this\nscenario:\n\nCPU0                            | CPU1\nbrcmf_btcoex_detach             | brcmf_btcoex_timerfunc\n                                |   bt_local->timer_on = false;\n  if (cfg->btcoex->timer_on)    |\n    ...                         |\n  cancel_work_sync();           |\n  ...                           |   schedule_work(); // Reschedule\n                                |\n  kfree(cfg->btcoex); // FREE   |   brcmf_btcoex_handler() // Worker\n  /*                            |     btci = container_of(....); // USE\n   The kfree() above could      |     ...\n   also occur at any point      |     btci-> // USE\n   during the worker's execution|\n   */                           |\n\nTo resolve the race conditions, drop the conditional check and call\ntimer_shutdown_sync() directly. It can deactivate the timer reliably,\nregardless of its current state. Once stopped, the timer_on state is\nthen set to false."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c"],"versions":[{"version":"61730d4dfffc2cc9d3a49fad87633008105c18ba","lessThan":"ae58f70bde0433f27ef4b388ab50634736607bf6","status":"affected","versionType":"git"},{"version":"61730d4dfffc2cc9d3a49fad87633008105c18ba","lessThan":"f1150153c4e5940fe49ab51136343c5b4fe49d63","status":"affected","versionType":"git"},{"version":"61730d4dfffc2cc9d3a49fad87633008105c18ba","lessThan":"3e789f8475f6c857c88de5c5bf4b24b11a477dd7","status":"affected","versionType":"git"},{"version":"61730d4dfffc2cc9d3a49fad87633008105c18ba","lessThan":"2f6fbc8e04ca1d1d5c560be694199f847229c625","status":"affected","versionType":"git"},{"version":"61730d4dfffc2cc9d3a49fad87633008105c18ba","lessThan":"9cb83d4be0b9b697eae93d321e0da999f9cdfcfc","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c"],"versions":[{"version":"3.10","status":"affected"},{"version":"0","lessThan":"3.10","status":"unaffected","versionType":"semver"},{"version":"6.1.167","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.105","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.46","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.6","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.1.167"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.6.105"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.12.46"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.16.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ae58f70bde0433f27ef4b388ab50634736607bf6"},{"url":"https://git.kernel.org/stable/c/f1150153c4e5940fe49ab51136343c5b4fe49d63"},{"url":"https://git.kernel.org/stable/c/3e789f8475f6c857c88de5c5bf4b24b11a477dd7"},{"url":"https://git.kernel.org/stable/c/2f6fbc8e04ca1d1d5c560be694199f847229c625"},{"url":"https://git.kernel.org/stable/c/9cb83d4be0b9b697eae93d321e0da999f9cdfcfc"}],"title":"wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2025-39863","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2026-01-14T19:23:53.735650Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-14T19:33:11.612Z"}}]}}