CVE-2025-40318
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and "UAF". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.
Affected versions
Linux kernel versions
6.1.120,
6.6.51,
6.8.9,
6.9
and later are affected. Fixed in
6.1.159,
6.6.117,
6.12.58,
6.17.8,
6.18
and their respective stable series.
References
The following references provide additional information about CVE-2025-40318 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.
-
PatchKernel patch commithttps://git.kernel.org/stable/c/09b0cd1297b4dbfe736aeaa0ceeab2265f47f772
-
PatchKernel patch commithttps://git.kernel.org/stable/c/0a94f7e017438935c09ef833a1aa908ad9875213
-
PatchKernel patch commithttps://git.kernel.org/stable/c/932c0a4f77ac13e526fdd5b42914d29c9821d389
Frequently asked questions
-
What is CVE-2025-40318?
CVE-2025-40318 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.1.120 onward and has been patched in 6.1.159, 6.6.117, 6.12.58 and others. CVE-2025-40318 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
-
Is there a patch available for CVE-2025-40318?
Yes — CVE-2025-40318 has been patched. Fixed versions include 6.1.159, 6.6.117, 6.12.58 and others. If you are running Linux kernel 6.1.120 or later up to the fix versions, apply the relevant patch for your kernel branch.
-
Is CVE-2025-40318 actively exploited?
No — CVE-2025-40318 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.