CVE-2025-40213
Linux Kernel - Use-After-Free in Bluetooth MGMT Mesh Sync and Complete
Title source: llmDescription
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.
References (3)
Core 3
Scores
EPSS
0.0016
EPSS Percentile
6.0%
Details
Status
published
Products (12)
linux/Kernel
6.17.0 - 6.17.8linux
Linux/Linux
< 6.17
Linux/Linux
0b60eb04b8524e1b4b3f07fea0d16fda9a677d9a
Linux/Linux
302a1f674c00dd5581ab8e493ef44767c5101aab - 1c9aca1787e8395a2c59fef20e914467958969c5
Linux/Linux
302a1f674c00dd5581ab8e493ef44767c5101aab - e8785404de06a69d89dcdd1e9a0b6ea42dc6d327
Linux/Linux
6.16.10 - 6.17
Linux/Linux
6.17
Linux/Linux
6.17.8 - 6.17.*
Linux/Linux
6.18
Linux/Linux
6.6.140 - 6.7
... and 2 more
Published
Nov 24, 2025
Tracked Since
Feb 18, 2026