CVE-2025-21969: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd After the hci sync command releases l2cap_conn, the hci receive data work queue references the released l2cap_conn when sending to the upper layer. Add hci dev lock to the hci receive data work queue to synchronize the two. [1] BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 Read of size 8 at addr ffff8880271a4000 by task kworker/u9:2/5837 CPU: 0 UID: 0 PID: 5837 Comm: kworker/u9:2 Not tainted 6.13.0-rc5-syzkaller-00163-gab75170520d4 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci1 hci_rx_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline] l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5502 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5538 [inline] l2cap_recv_frame+0x221f/0x10db0 net/bluetooth/l2cap_core.c:6817 hci_acldata_packet net/bluetooth/hci_core.c:3797 [inline] hci_rx_work+0x508/0xdb0 net/bluetooth/hci_core.c:4040 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5837: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] l2cap_conn_add+0xa9/0x8e0 net/bluetooth/l2cap_core.c:6860 l2cap_connect_cfm+0x115/0x1090 net/bluetooth/l2cap_core.c:7239 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] hci_remote_features_evt+0x68e/0xac0 net/bluetooth/hci_event.c:3726 hci_event_func net/bluetooth/hci_event.c:7473 [inline] hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7525 hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4035 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 54: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x196/0x430 mm/slub.c:4761 l2cap_connect_cfm+0xcc/0x1090 net/bluetooth/l2cap_core.c:7235 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] hci_conn_failed+0x287/0x400 net/bluetooth/hci_conn.c:1266 hci_abort_conn_sync+0x56c/0x11f0 net/bluetooth/hci_sync.c:5603 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr ---truncated---
AI Analysis
Technical Summary
CVE-2025-21969 is a use-after-free vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the L2CAP (Logical Link Control and Adaptation Protocol) layer. The flaw arises in the handling of the hci sync command, which releases the l2cap_conn structure prematurely. Subsequently, the hci receive data work queue attempts to reference this freed l2cap_conn object when sending data to the upper layers. This results in a slab-use-after-free condition, where the kernel attempts to read memory that has already been freed, leading to undefined behavior. The vulnerability was identified through Kernel Address Sanitizer (KASAN) reports, showing a read of size 8 at an invalid address during the execution of the l2cap_send_cmd function. The root cause is a lack of proper synchronization between the release of the l2cap_conn object and its usage in the hci receive data work queue. The fix involves adding a lock on the hci device to synchronize these operations, preventing the use-after-free condition. This vulnerability affects Linux kernel versions prior to the patch and is triggered during Bluetooth communication, particularly when handling L2CAP signaling commands. Exploitation would require an attacker to send crafted Bluetooth packets to a vulnerable system, potentially causing kernel crashes or enabling further exploitation such as privilege escalation or denial of service. The vulnerability does not require user interaction beyond Bluetooth connectivity and does not require authentication, as it can be triggered by Bluetooth traffic. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a significant risk to any systems running vulnerable Linux kernel versions with Bluetooth enabled. Many enterprise servers, workstations, and IoT devices in Europe run Linux, often with Bluetooth support for peripheral connectivity. Exploitation could lead to kernel crashes causing denial of service, impacting availability of critical systems. More critically, use-after-free vulnerabilities in the kernel can be leveraged for privilege escalation, allowing attackers to gain root access and compromise confidentiality and integrity of data. This is particularly concerning for sectors with sensitive data such as finance, healthcare, and government institutions across Europe. Additionally, industrial control systems and embedded devices running Linux with Bluetooth could be disrupted, affecting operational technology environments. Since the vulnerability can be triggered remotely via Bluetooth, it increases the attack surface, especially in environments where Bluetooth is widely used or not tightly controlled. The lack of known exploits currently reduces immediate risk, but the potential for weaponization remains high given the nature of the flaw.
Mitigation Recommendations
European organizations should prioritize patching Linux kernel versions to the latest releases that include the fix for CVE-2025-21969. Since the vulnerability involves Bluetooth L2CAP handling, disabling Bluetooth on servers and critical infrastructure where it is not required can significantly reduce exposure. For devices that must use Bluetooth, implementing strict access controls and network segmentation to isolate vulnerable systems is recommended. Monitoring Bluetooth traffic for unusual or malformed packets can help detect exploitation attempts. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can aid in early detection of similar issues. Organizations should also review and update their incident response plans to include scenarios involving kernel-level Bluetooth vulnerabilities. Finally, maintaining an inventory of Linux systems and their kernel versions will facilitate rapid identification and remediation of vulnerable hosts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-21969: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd After the hci sync command releases l2cap_conn, the hci receive data work queue references the released l2cap_conn when sending to the upper layer. Add hci dev lock to the hci receive data work queue to synchronize the two. [1] BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 Read of size 8 at addr ffff8880271a4000 by task kworker/u9:2/5837 CPU: 0 UID: 0 PID: 5837 Comm: kworker/u9:2 Not tainted 6.13.0-rc5-syzkaller-00163-gab75170520d4 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: hci1 hci_rx_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline] l2cap_send_cmd+0x187/0x8d0 net/bluetooth/l2cap_core.c:954 l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5502 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5538 [inline] l2cap_recv_frame+0x221f/0x10db0 net/bluetooth/l2cap_core.c:6817 hci_acldata_packet net/bluetooth/hci_core.c:3797 [inline] hci_rx_work+0x508/0xdb0 net/bluetooth/hci_core.c:4040 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5837: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] l2cap_conn_add+0xa9/0x8e0 net/bluetooth/l2cap_core.c:6860 l2cap_connect_cfm+0x115/0x1090 net/bluetooth/l2cap_core.c:7239 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] hci_remote_features_evt+0x68e/0xac0 net/bluetooth/hci_event.c:3726 hci_event_func net/bluetooth/hci_event.c:7473 [inline] hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7525 hci_rx_work+0x3f3/0xdb0 net/bluetooth/hci_core.c:4035 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 54: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x196/0x430 mm/slub.c:4761 l2cap_connect_cfm+0xcc/0x1090 net/bluetooth/l2cap_core.c:7235 hci_connect_cfm include/net/bluetooth/hci_core.h:2057 [inline] hci_conn_failed+0x287/0x400 net/bluetooth/hci_conn.c:1266 hci_abort_conn_sync+0x56c/0x11f0 net/bluetooth/hci_sync.c:5603 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21969 is a use-after-free vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the L2CAP (Logical Link Control and Adaptation Protocol) layer. The flaw arises in the handling of the hci sync command, which releases the l2cap_conn structure prematurely. Subsequently, the hci receive data work queue attempts to reference this freed l2cap_conn object when sending data to the upper layers. This results in a slab-use-after-free condition, where the kernel attempts to read memory that has already been freed, leading to undefined behavior. The vulnerability was identified through Kernel Address Sanitizer (KASAN) reports, showing a read of size 8 at an invalid address during the execution of the l2cap_send_cmd function. The root cause is a lack of proper synchronization between the release of the l2cap_conn object and its usage in the hci receive data work queue. The fix involves adding a lock on the hci device to synchronize these operations, preventing the use-after-free condition. This vulnerability affects Linux kernel versions prior to the patch and is triggered during Bluetooth communication, particularly when handling L2CAP signaling commands. Exploitation would require an attacker to send crafted Bluetooth packets to a vulnerable system, potentially causing kernel crashes or enabling further exploitation such as privilege escalation or denial of service. The vulnerability does not require user interaction beyond Bluetooth connectivity and does not require authentication, as it can be triggered by Bluetooth traffic. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a significant risk to any systems running vulnerable Linux kernel versions with Bluetooth enabled. Many enterprise servers, workstations, and IoT devices in Europe run Linux, often with Bluetooth support for peripheral connectivity. Exploitation could lead to kernel crashes causing denial of service, impacting availability of critical systems. More critically, use-after-free vulnerabilities in the kernel can be leveraged for privilege escalation, allowing attackers to gain root access and compromise confidentiality and integrity of data. This is particularly concerning for sectors with sensitive data such as finance, healthcare, and government institutions across Europe. Additionally, industrial control systems and embedded devices running Linux with Bluetooth could be disrupted, affecting operational technology environments. Since the vulnerability can be triggered remotely via Bluetooth, it increases the attack surface, especially in environments where Bluetooth is widely used or not tightly controlled. The lack of known exploits currently reduces immediate risk, but the potential for weaponization remains high given the nature of the flaw.
Mitigation Recommendations
European organizations should prioritize patching Linux kernel versions to the latest releases that include the fix for CVE-2025-21969. Since the vulnerability involves Bluetooth L2CAP handling, disabling Bluetooth on servers and critical infrastructure where it is not required can significantly reduce exposure. For devices that must use Bluetooth, implementing strict access controls and network segmentation to isolate vulnerable systems is recommended. Monitoring Bluetooth traffic for unusual or malformed packets can help detect exploitation attempts. Employing kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments can aid in early detection of similar issues. Organizations should also review and update their incident response plans to include scenarios involving kernel-level Bluetooth vulnerabilities. Finally, maintaining an inventory of Linux systems and their kernel versions will facilitate rapid identification and remediation of vulnerable hosts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.796Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8da5
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 11:24:56 AM
Last updated: 7/15/2025, 7:39:27 PM
Views: 10
Related Threats
CVE-2025-6981: CWE-863 Incorrect Authorization in GitHub Enterprise Server
MediumCVE-2025-49841: CWE-502: Deserialization of Untrusted Data in RVC-Boss GPT-SoVITS
HighCVE-2025-49840: CWE-502: Deserialization of Untrusted Data in RVC-Boss GPT-SoVITS
HighCVE-2025-30761: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. in Oracle Corporation Oracle Java SE
MediumCVE-2025-49836: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in RVC-Boss GPT-SoVITS
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.