APPLIED: [SRU][N][PATCH 0/2] CVE-2025-38118
Edoardo Canepa
edoardo.canepa at canonical.com
Fri Oct 10 10:20:45 UTC 2025
Applied to noble/master-next. Thanks.
On 10/2/25 14:38, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2025-38118
>
> [ Impact ]
>
> CVE-2025-38118 is a use-after-free in the Linux kernel Bluetooth Management code,
> specifically in the completion path for the MGMT operation
> that removes an advertising monitor (MGMT_OP_REMOVE_ADV_MONITOR).
>
> [ Fix ]
>
> Backport from upstream the fix commit:
> - e6ed54e86aae9 Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
> and a followup:
> - 7dd38ba4acbea Bluetooth: MGMT: Fix sparse errors
>
> [ Test Plan ]
>
> Compile tested only.
>
> [ Regression Potential ]
>
> The fix affects how pending commands are managed for Bluetooth
> advertising monitor removal. An issue with this patch may cause
> inconsistencies in monitor state if the explicit lifetime handling in
> the completion path is disrupted.
>
>
> Luiz Augusto von Dentz (2):
> Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
> Bluetooth: MGMT: Fix sparse errors
>
> include/net/bluetooth/hci_core.h | 1 -
> net/bluetooth/hci_core.c | 4 +---
> net/bluetooth/mgmt.c | 39 ++++++++++----------------------
> 3 files changed, 13 insertions(+), 31 deletions(-)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251010/9783ef30/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251010/9783ef30/attachment-0001.sig>
More information about the kernel-team
mailing list