ACK: [SRU][N][PATCH 0/2] CVE-2025-38118
Manuel Diewald
manuel.diewald at canonical.com
Tue Oct 7 09:27:18 UTC 2025
On Thu, Oct 02, 2025 at 02:38:43PM +0200, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2025-38118
>
> [ Impact ]
>
> CVE-2025-38118 is a use-after-free in the Linux kernel Bluetooth Management code,
> specifically in the completion path for the MGMT operation
> that removes an advertising monitor (MGMT_OP_REMOVE_ADV_MONITOR).
>
> [ Fix ]
>
> Backport from upstream the fix commit:
> - e6ed54e86aae9 Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
> and a followup:
> - 7dd38ba4acbea Bluetooth: MGMT: Fix sparse errors
>
> [ Test Plan ]
>
> Compile tested only.
>
> [ Regression Potential ]
>
> The fix affects how pending commands are managed for Bluetooth
> advertising monitor removal. An issue with this patch may cause
> inconsistencies in monitor state if the explicit lifetime handling in
> the completion path is disrupted.
>
>
> Luiz Augusto von Dentz (2):
> Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
> Bluetooth: MGMT: Fix sparse errors
>
> include/net/bluetooth/hci_core.h | 1 -
> net/bluetooth/hci_core.c | 4 +---
> net/bluetooth/mgmt.c | 39 ++++++++++----------------------
> 3 files changed, 13 insertions(+), 31 deletions(-)
>
> --
> 2.48.1
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Acked-by: Manuel Diewald <manuel.diewald at canonical.com>
--
Manuel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251007/b3e5eb72/attachment-0001.sig>
More information about the kernel-team
mailing list