CVE-2025-40213

Linux Kernel - Use-After-Free in Bluetooth MGMT Mesh Sync and Complete

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.

Scores

EPSS 0.0016
EPSS Percentile 6.0%

Details

Status published
Products (12)
linux/Kernel 6.17.0 - 6.17.8linux
Linux/Linux < 6.17
Linux/Linux 0b60eb04b8524e1b4b3f07fea0d16fda9a677d9a
Linux/Linux 302a1f674c00dd5581ab8e493ef44767c5101aab - 1c9aca1787e8395a2c59fef20e914467958969c5
Linux/Linux 302a1f674c00dd5581ab8e493ef44767c5101aab - e8785404de06a69d89dcdd1e9a0b6ea42dc6d327
Linux/Linux 6.16.10 - 6.17
Linux/Linux 6.17
Linux/Linux 6.17.8 - 6.17.*
Linux/Linux 6.18
Linux/Linux 6.6.140 - 6.7
... and 2 more
Published Nov 24, 2025
Tracked Since Feb 18, 2026