[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2025-38250":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T08:53:30.047Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":17,"related":18,"reserved_at":9,"published_at":19,"modified_at":20,"state":9,"summary":21,"references_raw":23,"kevs":30,"epss":9,"epss_history":31,"metrics":32,"affected":39},"DEBIAN-CVE-2025-38250","In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_core: Fix use-after-free in vhci_flush()  syzbot reported use-after-free in vhci_flush() without repro. [0]  From the splat, a thread close()d a vhci file descriptor while its device was being used by iotcl() on another thread.  Once the last fd refcnt is released, vhci_release() calls hci_unregister_dev(), hci_free_dev(), and kfree() for struct vhci_data, which is set to hci_dev->dev->driver_data.  The problem is that there is no synchronisation after unlinking hdev from hci_dev_list in hci_unregister_dev().  There might be another thread still accessing the hdev which was fetched before the unlink operation.  We can use SRCU for such synchronisation.  Let's run hci_dev_reset() under SRCU and wait for its completion in hci_unregister_dev().  Another option would be to restore hci_dev->destruct(), which was removed in commit 587ae086f6e4 (\"Bluetooth: Remove unused hci-destruct cb\").  However, this would not be a good solution, as we should not run hci_unregister_dev() while there are in-flight ioctl() requests, which could lead to another data-race KCSAN splat.  Note that other drivers seem to have the same problem, for exmaple, virtbt_remove().  [0]: BUG: KASAN: slab-use-after-free in skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline] BUG: KASAN: slab-use-after-free in skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937 Read of size 8 at addr ffff88807cb8d858 by task syz.1.219/6718  CPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 Not tainted 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace:  \u003CTASK>  dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120  print_address_description mm/kasan/report.c:408 [inline]  print_report+0xd2/0x2b0 mm/kasan/report.c:521  kasan_report+0x118/0x150 mm/kasan/report.c:634  skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]  skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937  skb_queue_purge include/linux/skbuff.h:3368 [inline]  vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69  hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline]  hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592  sock_do_ioctl+0xd9/0x300 net/socket.c:1190  sock_ioctl+0x576/0x790 net/socket.c:1311  vfs_ioctl fs/ioctl.c:51 [inline]  __do_sys_ioctl fs/ioctl.c:907 [inline]  __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]  do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94  entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fcf5b98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003C48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929 RDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009 RBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528  \u003C/TASK>  Allocated by task 6535:  kasan_save_stack mm/kasan/common.c:47 [inline]  kasan_save_track+0x3e/0x80 mm/kasan/common.c:68  poison_kmalloc_redzone mm/kasan/common.c:377 [inline]  __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394  kasan_kmalloc include/linux/kasan.h:260 [inline]  __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359  kmalloc_noprof include/linux/slab.h:905 [inline]  kzalloc_noprof include/linux/slab.h:1039 [inline]  vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635  misc_open+0x2bc/0x330 drivers/char/misc.c:161  chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414  do_dentry_open+0xdf0/0x1970 fs/open.c:964  vfs_open+0x3b/0x340 fs/open.c:1094  do_open fs/namei.c:3887 [inline]  path_openat+0x2ee5/0x3830 fs/name ---truncated---",null,[],[],[],[14],{"_key":15},"CVE-2025-38250",[],[],[],"2025-07-09T11:15:27.193Z","2026-05-02T10:01:13.279348Z",{"cisa_kev":22,"cisa_ransomware":22,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[24],{"url":25,"sources":26,"tags":28},"https://security-tracker.debian.org/tracker/CVE-2025-38250",[27],"osv_debian",[29],"Advisory",[],[],[33],{"source":27,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":34,"cvss_v4_0":9},{"baseScore":35,"baseSeverity":9,"vectorString":36,"impactScore":37,"exploitabilityScore":38},7.8,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",9.8,4.6,[40,59],{"ecosystem":41,"name":42,"vendor":43,"product":42,"cpe_part":9,"purl_type":44,"purl_namespace":43,"purl_name":42,"source":9,"versions":45},"Debian","linux","debian","deb",[46,50,51,55,58],{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",true,"ecosystem",{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":52,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":53,"version_end_type":54,"fixed_in":9},"lt6_1_170_1","6.1.170-1","excluding",{"version":56,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":57,"version_end_type":54,"fixed_in":9},"lt6_12_37_1","6.12.37-1",{"version":56,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":57,"version_end_type":54,"fixed_in":9},{"ecosystem":41,"name":60,"vendor":43,"product":60,"cpe_part":9,"purl_type":44,"purl_namespace":43,"purl_name":60,"source":9,"versions":61},"linux-6.1",[62],{"version":63,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":64,"version_end_type":54,"fixed_in":9},"lt6_1_170_1~deb11u1","6.1.170-1~deb11u1"]