[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2025-39981":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T14:53:31.930Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":17,"related":18,"reserved_at":9,"published_at":19,"modified_at":20,"state":9,"summary":21,"references_raw":23,"kevs":30,"epss":9,"epss_history":31,"metrics":32,"affected":33},"DEBIAN-CVE-2025-39981","In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: MGMT: Fix possible UAFs  This attemps to fix possible UAFs caused by struct mgmt_pending being freed while still being processed like in the following trace, in order to fix mgmt_pending_valid is introduce and use to check if the mgmt_pending hasn't been removed from the pending list, on the complete callbacks it is used to check and in addtion remove the cmd from the list while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd is left on the list it can still be accessed and freed.  BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223 Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55  CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace:  \u003CTASK>  dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120  print_address_description mm/kasan/report.c:378 [inline]  print_report+0xca/0x240 mm/kasan/report.c:482  kasan_report+0x118/0x150 mm/kasan/report.c:595  mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223  hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332  process_one_work kernel/workqueue.c:3238 [inline]  process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321  worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402  kthread+0x711/0x8a0 kernel/kthread.c:464  ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148  ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245  \u003C/TASK>  Allocated by task 12210:  kasan_save_stack mm/kasan/common.c:47 [inline]  kasan_save_track+0x3e/0x80 mm/kasan/common.c:68  poison_kmalloc_redzone mm/kasan/common.c:377 [inline]  __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394  kasan_kmalloc include/linux/kasan.h:260 [inline]  __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364  kmalloc_noprof include/linux/slab.h:905 [inline]  kzalloc_noprof include/linux/slab.h:1039 [inline]  mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269  mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296  __add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247  add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364  hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719  hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839  sock_sendmsg_nosec net/socket.c:714 [inline]  __sock_sendmsg+0x219/0x270 net/socket.c:729  sock_write_iter+0x258/0x330 net/socket.c:1133  new_sync_write fs/read_write.c:593 [inline]  vfs_write+0x5c9/0xb30 fs/read_write.c:686  ksys_write+0x145/0x250 fs/read_write.c:738  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]  do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94  entry_SYSCALL_64_after_hwframe+0x77/0x7f  Freed by task 12221:  kasan_save_stack mm/kasan/common.c:47 [inline]  kasan_save_track+0x3e/0x80 mm/kasan/common.c:68  kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576  poison_slab_object mm/kasan/common.c:247 [inline]  __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264  kasan_slab_free include/linux/kasan.h:233 [inline]  slab_free_hook mm/slub.c:2381 [inline]  slab_free mm/slub.c:4648 [inline]  kfree+0x18e/0x440 mm/slub.c:4847  mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]  mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257  __mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444  hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290  hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]  hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526  sock_do_ioctl+0xd9/0x300 net/socket.c:1192  sock_ioctl+0x576/0x790 net/socket.c:1313  vfs_ioctl fs/ioctl.c:51 [inline]  __do_sys_ioctl fs/ioctl.c:907 [inline]  __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]  do_syscall_64+0xf ---truncated---",null,[],[],[],[14],{"_key":15},"CVE-2025-39981",[],[],[],"2025-10-15T08:15:36.017Z","2026-04-28T20:30:24.849460Z",{"cisa_kev":22,"cisa_ransomware":22,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[24],{"url":25,"sources":26,"tags":28},"https://security-tracker.debian.org/tracker/CVE-2025-39981",[27],"osv_debian",[29],"Advisory",[],[],[],[34],{"ecosystem":35,"name":36,"vendor":37,"product":36,"cpe_part":9,"purl_type":38,"purl_namespace":37,"purl_name":36,"source":9,"versions":39},"Debian","linux","debian","deb",[40,44,48],{"version":41,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",true,"ecosystem",{"version":45,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":46,"version_end_type":47,"fixed_in":9},"lt6_12_63_1","6.12.63-1","excluding",{"version":49,"is_range":42,"range_type":43,"version_start":9,"version_start_type":9,"version_end":50,"version_end_type":47,"fixed_in":9},"lt6_16_10_1","6.16.10-1"]