ghsa-j8g4-37fg-mjm8
Vulnerability from github
Published
2025-09-22 21:30
Modified
2025-09-22 21:30
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: vhci: Prevent use-after-free by removing debugfs files early

Move the creation of debugfs files into a dedicated function, and ensure they are explicitly removed during vhci_release(), before associated data structures are freed.

Previously, debugfs files such as "force_suspend", "force_wakeup", and others were created under hdev->debugfs but not removed in vhci_release(). Since vhci_release() frees the backing vhci_data structure, any access to these files after release would result in use-after-free errors.

Although hdev->debugfs is later freed in hci_release_dev(), user can access files after vhci_data is freed but before hdev->debugfs is released.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-39861"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-19T16:15:45Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: vhci: Prevent use-after-free by removing debugfs files early\n\nMove the creation of debugfs files into a dedicated function, and ensure\nthey are explicitly removed during vhci_release(), before associated\ndata structures are freed.\n\nPreviously, debugfs files such as \"force_suspend\", \"force_wakeup\", and\nothers were created under hdev-\u003edebugfs but not removed in\nvhci_release(). Since vhci_release() frees the backing vhci_data\nstructure, any access to these files after release would result in\nuse-after-free errors.\n\nAlthough hdev-\u003edebugfs is later freed in hci_release_dev(), user can\naccess files after vhci_data is freed but before hdev-\u003edebugfs is\nreleased.",
  "id": "GHSA-j8g4-37fg-mjm8",
  "modified": "2025-09-22T21:30:18Z",
  "published": "2025-09-22T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39861"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1503756fffe76d5aea2371a4b8dee20c3577bcfd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/28010791193a4503f054e8d69a950ef815deb539"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7cc08f2f127b9a66f46ea918e34353811a7cb378"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bd75eba88e88d7b896b0c737b02a74a12afc235f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.