What is CVE-2025-40284?

CVE-2025-40284 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.1 onward and patched in 6.1.159, 6.6.117, 6.12.59 and others. CVE-2025-40284 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-40284?

CVE-2025-40284 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2025-40284?

Yes, CVE-2025-40284 has been patched. Fixed versions include 6.1.159, 6.6.117, 6.12.59 and others. If you are running Linux kernel 6.1 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-40284 actively exploited?

CVE-2025-40284 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-40284

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in "Mesh - Send cancel - 1" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------

Package Linux Kernel

Published 2025-12-06

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 6.1 and later are affected. Fixed in 6.1.159, 6.6.117, 6.12.59, 6.17.9, 6.18 and their respective stable series.

Affected from

≥ 6.1

Fixed in

✓ 6.1.159 6.1.x ✓ 6.6.117 6.6.x ✓ 6.12.59 6.12.x ✓ 6.17.9 6.17.x ✓ 6.18

References

The following references provide additional information about CVE-2025-40284 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/2927ff643607eddf4f03d10ef80fe10d977154aa
Patch
Kernel patch commit
https://git.kernel.org/stable/c/55fb52ffdd62850d667ebed842815e072d3c9961
Patch
Kernel patch commit
https://git.kernel.org/stable/c/7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b
Patch

5 patch commits total View all on NVD

Frequently asked questions

What is CVE-2025-40284?

CVE-2025-40284 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.1 onward and has been patched in 6.1.159, 6.6.117, 6.12.59 and others. CVE-2025-40284 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2025-40284?

Yes — CVE-2025-40284 has been patched. Fixed versions include 6.1.159, 6.6.117, 6.12.59 and others. If you are running Linux kernel 6.1 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-40284 actively exploited?

No — CVE-2025-40284 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.