CVE-2025-40284
Linux Kernel 6.1.0-6.1.158, 6.2.0-6.6.116, 6.7.0-6.12.58, 6.13.0-6.17.8 - Use-After-Free in Bluetooth Mesh Send Timer
Title source: llmDescription
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in "Mesh - Send cancel - 1" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------
References (5)
Core 5
Core References
Scores
EPSS
0.0006
EPSS Percentile
17.7%
Details
Status
published
Products (16)
linux/Kernel
6.1.0 - 6.1.159linux
linux/Kernel
6.13.0 - 6.17.9linux
linux/Kernel
6.2.0 - 6.6.117linux
linux/Kernel
6.7.0 - 6.12.59linux
Linux/Linux
< 6.1
Linux/Linux
6.1
Linux/Linux
6.1.159 - 6.1.*
Linux/Linux
6.12.59 - 6.12.*
Linux/Linux
6.17.9 - 6.17.*
Linux/Linux
6.18
... and 6 more
Published
Dec 06, 2025
Tracked Since
Feb 18, 2026