CVE-2025-39863 (GCVE-0-2025-39863)
Vulnerability from cvelistv5
Published
2025-09-19 15:26
Modified
2025-09-19 15:26
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work The brcmf_btcoex_detach() only shuts down the btcoex timer, if the flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which runs as timer handler, sets timer_on to false. This creates critical race conditions: 1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc() is executing, it may observe timer_on as false and skip the call to timer_shutdown_sync(). 2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info worker after the cancel_work_sync() has been executed, resulting in use-after-free bugs. The use-after-free bugs occur in two distinct scenarios, depending on the timing of when the brcmf_btcoex_info struct is freed relative to the execution of its worker thread. Scenario 1: Freed before the worker is scheduled The brcmf_btcoex_info is deallocated before the worker is scheduled. A race condition can occur when schedule_work(&bt_local->work) is called after the target memory has been freed. The sequence of events is detailed below: CPU0 | CPU1 brcmf_btcoex_detach | brcmf_btcoex_timerfunc | bt_local->timer_on = false; if (cfg->btcoex->timer_on) | ... | cancel_work_sync(); | ... | kfree(cfg->btcoex); // FREE | | schedule_work(&bt_local->work); // USE Scenario 2: Freed after the worker is scheduled The brcmf_btcoex_info is freed after the worker has been scheduled but before or during its execution. In this case, statements within the brcmf_btcoex_handler() — such as the container_of macro and subsequent dereferences of the brcmf_btcoex_info object will cause a use-after-free access. The following timeline illustrates this scenario: CPU0 | CPU1 brcmf_btcoex_detach | brcmf_btcoex_timerfunc | bt_local->timer_on = false; if (cfg->btcoex->timer_on) | ... | cancel_work_sync(); | ... | schedule_work(); // Reschedule | kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker /* | btci = container_of(....); // USE The kfree() above could | ... also occur at any point | btci-> // USE during the worker's execution| */ | To resolve the race conditions, drop the conditional check and call timer_shutdown_sync() directly. It can deactivate the timer reliably, regardless of its current state. Once stopped, the timer_on state is then set to false.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2f6fbc8e04ca1d1d5c560be694199f847229c625
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3e789f8475f6c857c88de5c5bf4b24b11a477dd7
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9cb83d4be0b9b697eae93d321e0da999f9cdfcfc
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f1150153c4e5940fe49ab51136343c5b4fe49d63
Impacted products
Vendor Product Version
Linux Linux Version: 61730d4dfffc2cc9d3a49fad87633008105c18ba
Version: 61730d4dfffc2cc9d3a49fad87633008105c18ba
Version: 61730d4dfffc2cc9d3a49fad87633008105c18ba
Version: 61730d4dfffc2cc9d3a49fad87633008105c18ba
 Create a notification for this product.
   Linux Linux Version: 3.10
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f1150153c4e5940fe49ab51136343c5b4fe49d63",
              "status": "affected",
              "version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
              "versionType": "git"
            },
            {
              "lessThan": "3e789f8475f6c857c88de5c5bf4b24b11a477dd7",
              "status": "affected",
              "version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
              "versionType": "git"
            },
            {
              "lessThan": "2f6fbc8e04ca1d1d5c560be694199f847229c625",
              "status": "affected",
              "version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
              "versionType": "git"
            },
            {
              "lessThan": "9cb83d4be0b9b697eae93d321e0da999f9cdfcfc",
              "status": "affected",
              "version": "61730d4dfffc2cc9d3a49fad87633008105c18ba",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.105",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17-rc5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.105",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.6",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17-rc5",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work\n\nThe brcmf_btcoex_detach() only shuts down the btcoex timer, if the\nflag timer_on is false. However, the brcmf_btcoex_timerfunc(), which\nruns as timer handler, sets timer_on to false. This creates critical\nrace conditions:\n\n1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()\nis executing, it may observe timer_on as false and skip the call to\ntimer_shutdown_sync().\n\n2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info\nworker after the cancel_work_sync() has been executed, resulting in\nuse-after-free bugs.\n\nThe use-after-free bugs occur in two distinct scenarios, depending on\nthe timing of when the brcmf_btcoex_info struct is freed relative to\nthe execution of its worker thread.\n\nScenario 1: Freed before the worker is scheduled\n\nThe brcmf_btcoex_info is deallocated before the worker is scheduled.\nA race condition can occur when schedule_work(\u0026bt_local-\u003ework) is\ncalled after the target memory has been freed. The sequence of events\nis detailed below:\n\nCPU0                           | CPU1\nbrcmf_btcoex_detach            | brcmf_btcoex_timerfunc\n                               |   bt_local-\u003etimer_on = false;\n  if (cfg-\u003ebtcoex-\u003etimer_on)   |\n    ...                        |\n  cancel_work_sync();          |\n  ...                          |\n  kfree(cfg-\u003ebtcoex); // FREE  |\n                               |   schedule_work(\u0026bt_local-\u003ework); // USE\n\nScenario 2: Freed after the worker is scheduled\n\nThe brcmf_btcoex_info is freed after the worker has been scheduled\nbut before or during its execution. In this case, statements within\nthe brcmf_btcoex_handler() \u2014 such as the container_of macro and\nsubsequent dereferences of the brcmf_btcoex_info object will cause\na use-after-free access. The following timeline illustrates this\nscenario:\n\nCPU0                            | CPU1\nbrcmf_btcoex_detach             | brcmf_btcoex_timerfunc\n                                |   bt_local-\u003etimer_on = false;\n  if (cfg-\u003ebtcoex-\u003etimer_on)    |\n    ...                         |\n  cancel_work_sync();           |\n  ...                           |   schedule_work(); // Reschedule\n                                |\n  kfree(cfg-\u003ebtcoex); // FREE   |   brcmf_btcoex_handler() // Worker\n  /*                            |     btci = container_of(....); // USE\n   The kfree() above could      |     ...\n   also occur at any point      |     btci-\u003e // USE\n   during the worker\u0027s execution|\n   */                           |\n\nTo resolve the race conditions, drop the conditional check and call\ntimer_shutdown_sync() directly. It can deactivate the timer reliably,\nregardless of its current state. Once stopped, the timer_on state is\nthen set to false."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-19T15:26:33.069Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f1150153c4e5940fe49ab51136343c5b4fe49d63"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e789f8475f6c857c88de5c5bf4b24b11a477dd7"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f6fbc8e04ca1d1d5c560be694199f847229c625"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cb83d4be0b9b697eae93d321e0da999f9cdfcfc"
        }
      ],
      "title": "wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39863",
    "datePublished": "2025-09-19T15:26:33.069Z",
    "dateReserved": "2025-04-16T07:20:57.143Z",
    "dateUpdated": "2025-09-19T15:26:33.069Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-39863\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-09-19T16:15:45.310\",\"lastModified\":\"2025-09-22T21:23:01.543\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work\\n\\nThe brcmf_btcoex_detach() only shuts down the btcoex timer, if the\\nflag timer_on is false. However, the brcmf_btcoex_timerfunc(), which\\nruns as timer handler, sets timer_on to false. This creates critical\\nrace conditions:\\n\\n1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()\\nis executing, it may observe timer_on as false and skip the call to\\ntimer_shutdown_sync().\\n\\n2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info\\nworker after the cancel_work_sync() has been executed, resulting in\\nuse-after-free bugs.\\n\\nThe use-after-free bugs occur in two distinct scenarios, depending on\\nthe timing of when the brcmf_btcoex_info struct is freed relative to\\nthe execution of its worker thread.\\n\\nScenario 1: Freed before the worker is scheduled\\n\\nThe brcmf_btcoex_info is deallocated before the worker is scheduled.\\nA race condition can occur when schedule_work(\u0026bt_local-\u003ework) is\\ncalled after the target memory has been freed. The sequence of events\\nis detailed below:\\n\\nCPU0                           | CPU1\\nbrcmf_btcoex_detach            | brcmf_btcoex_timerfunc\\n                               |   bt_local-\u003etimer_on = false;\\n  if (cfg-\u003ebtcoex-\u003etimer_on)   |\\n    ...                        |\\n  cancel_work_sync();          |\\n  ...                          |\\n  kfree(cfg-\u003ebtcoex); // FREE  |\\n                               |   schedule_work(\u0026bt_local-\u003ework); // USE\\n\\nScenario 2: Freed after the worker is scheduled\\n\\nThe brcmf_btcoex_info is freed after the worker has been scheduled\\nbut before or during its execution. In this case, statements within\\nthe brcmf_btcoex_handler() \u2014 such as the container_of macro and\\nsubsequent dereferences of the brcmf_btcoex_info object will cause\\na use-after-free access. The following timeline illustrates this\\nscenario:\\n\\nCPU0                            | CPU1\\nbrcmf_btcoex_detach             | brcmf_btcoex_timerfunc\\n                                |   bt_local-\u003etimer_on = false;\\n  if (cfg-\u003ebtcoex-\u003etimer_on)    |\\n    ...                         |\\n  cancel_work_sync();           |\\n  ...                           |   schedule_work(); // Reschedule\\n                                |\\n  kfree(cfg-\u003ebtcoex); // FREE   |   brcmf_btcoex_handler() // Worker\\n  /*                            |     btci = container_of(....); // USE\\n   The kfree() above could      |     ...\\n   also occur at any point      |     btci-\u003e // USE\\n   during the worker\u0027s execution|\\n   */                           |\\n\\nTo resolve the race conditions, drop the conditional check and call\\ntimer_shutdown_sync() directly. It can deactivate the timer reliably,\\nregardless of its current state. Once stopped, the timer_on state is\\nthen set to false.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2f6fbc8e04ca1d1d5c560be694199f847229c625\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3e789f8475f6c857c88de5c5bf4b24b11a477dd7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9cb83d4be0b9b697eae93d321e0da999f9cdfcfc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f1150153c4e5940fe49ab51136343c5b4fe49d63\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.