{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40284","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.184Z","datePublished":"2025-12-06T21:51:08.488Z","dateUpdated":"2026-05-11T21:46:22.476Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:46:22.476Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: cancel mesh send timer when hdev removed\n\nmesh_send_done timer is not canceled when hdev is removed, which causes\ncrash if the timer triggers after hdev is gone.\n\nCancel the timer when MGMT removes the hdev, like other MGMT timers.\n\nShould fix the BUG: sporadically seen by BlueZ test bot\n(in \"Mesh - Send cancel - 1\" test).\n\nLog:\n------\nBUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0\n...\nFreed by task 36:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x43/0x70\n kfree+0x103/0x500\n device_release+0x9a/0x210\n kobject_put+0x100/0x1e0\n vhci_release+0x18b/0x240\n------"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/mgmt.c"],"versions":[{"version":"b338d91703fae6f6afd67f3f75caa3b8f36ddef3","lessThan":"990e6143b0ca0c66f099d67d00c112bf59b30d76","status":"affected","versionType":"git"},{"version":"b338d91703fae6f6afd67f3f75caa3b8f36ddef3","lessThan":"2927ff643607eddf4f03d10ef80fe10d977154aa","status":"affected","versionType":"git"},{"version":"b338d91703fae6f6afd67f3f75caa3b8f36ddef3","lessThan":"7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b","status":"affected","versionType":"git"},{"version":"b338d91703fae6f6afd67f3f75caa3b8f36ddef3","lessThan":"fd62ca5ad136dcf6f5aa308423b299a6be6f54ea","status":"affected","versionType":"git"},{"version":"b338d91703fae6f6afd67f3f75caa3b8f36ddef3","lessThan":"55fb52ffdd62850d667ebed842815e072d3c9961","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/mgmt.c"],"versions":[{"version":"6.1","status":"affected"},{"version":"0","lessThan":"6.1","status":"unaffected","versionType":"semver"},{"version":"6.1.159","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.117","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.59","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.9","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.1.159"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.6.117"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.12.59"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.17.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/990e6143b0ca0c66f099d67d00c112bf59b30d76"},{"url":"https://git.kernel.org/stable/c/2927ff643607eddf4f03d10ef80fe10d977154aa"},{"url":"https://git.kernel.org/stable/c/7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b"},{"url":"https://git.kernel.org/stable/c/fd62ca5ad136dcf6f5aa308423b299a6be6f54ea"},{"url":"https://git.kernel.org/stable/c/55fb52ffdd62850d667ebed842815e072d3c9961"}],"title":"Bluetooth: MGMT: cancel mesh send timer when hdev removed","x_generator":{"engine":"bippy-1.2.0"}}}}