CVE-2025-38593

HIGH EPSS 5.0%
Published Aug 19, 202510mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Aug 19, 2025 10mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()' Function 'hci_discovery_filter_clear()' frees 'uuids' array and then sets it to NULL. There is a tiny chance of the following race: 'hci_cmd_sync_work()' 'update_passive_scan_sync()' 'hci_update_passive_scan_sync()' 'hci_discovery_filter_clear()' kfree(uuids); <-------------------------preempted--------------------------------> 'start_service_discovery()' 'hci_discovery_filter_clear()' kfree(uuids); // DOUBLE FREE <-------------------------preempted--------------------------------> uuids = NULL; To fix it let's add locking around 'kfree()' call and NULL pointer assignment. Otherwise the following backtrace fires: [ ] ------------[ cut here ]------------ [ ] kernel BUG at mm/slub.c:547! [ ] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ ] CPU: 3 UID: 0 PID: 246 Comm: bluetoothd Tainted: G O 6.12.19-kernel #1 [ ] Tainted: [O]=OOT_MODULE [ ] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ ] pc : __slab_free+0xf8/0x348 [ ] lr : __slab_free+0x48/0x348 ... [ ] Call trace: [ ] __slab_free+0xf8/0x348 [ ] kfree+0x164/0x27c [ ] start_service_discovery+0x1d0/0x2c0 [ ] hci_sock_sendmsg+0x518/0x924 [ ] __sock_sendmsg+0x54/0x60 [ ] sock_write_iter+0x98/0xf8 [ ] do_iter_readv_writev+0xe4/0x1c8 [ ] vfs_writev+0x128/0x2b0 [ ] do_writev+0xfc/0x118 [ ] __arm64_sys_writev+0x20/0x2c [ ] invoke_syscall+0x68/0xf0 [ ] el0_svc_common.constprop.0+0x40/0xe0 [ ] do_el0_svc+0x1c/0x28 [ ] el0_svc+0x30/0xd0 [ ] el0t_64_sync_handler+0x100/0x12c [ ] el0t_64_sync+0x194/0x198 [ ] Code: 8b0002e6 eb17031f 54fffbe1 d503201f (d4210000) [ ] ---[ end trace 0000000000000000 ]---

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
5.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-415

Affected Products 4

VendorProductVersionRange
linuxlinux_kernel*≥5.17  –  <6.6.117
linuxlinux_kernel*≥6.7  –  <6.12.42
linuxlinux_kernel*≥6.13  –  <6.15.10
linuxlinux_kernel*≥6.16  –  <6.16.1

References 6

  • git.kernel.org https://git.kernel.org/stable/c/16852eccbdfaf41a666705e3f8be55cf2864c5ca
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2935e556850e9c94d7a00adf14d3cd7fe406ac03
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7ce9bb0b95fc280e9212b8922590c492ca1d9c39
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/86f3dcd1f331cfd4fd7ec88906955134ec51afbe
  • git.kernel.org https://git.kernel.org/stable/c/a351ff6b8ecca4229afaa0d98042bead8de64799
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f8069f34c4c976786ded97498012225af87435d7
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/16852eccbdfaf41a666705e3f8be55cf2864c5ca
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2935e556850e9c94d7a00adf14d3cd7fe406ac03
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7ce9bb0b95fc280e9212b8922590c492ca1d9c39
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a351ff6b8ecca4229afaa0d98042bead8de64799
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f8069f34c4c976786ded97498012225af87435d7
    Patch