GHSA-hxj9-5m9x-pxq2

Опубликовано: 24 нояб. 2025

Источник: github

Github: Не прошло ревью

Описание

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete

There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array.

Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove.

Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds.

As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete

There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array.

Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove.

Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds.

As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.

Ссылки

EPSS

Процентиль: 6%

0.00024

Низкий

CVE ID

CVE-2025-40213

Связанные уязвимости

CVE-2025-40213

ubuntu

2 месяца назад

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.