CVE-2025-39861
📋 TL;DR
A use-after-free vulnerability in the Linux kernel's Bluetooth virtual HCI driver allows attackers to potentially crash the kernel or execute arbitrary code by accessing debugfs files after the underlying data structures have been freed. This affects Linux systems with Bluetooth functionality enabled, particularly those using the vhci driver for Bluetooth testing or virtualization.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, or potential kernel memory corruption enabling arbitrary code execution with kernel privileges.
Likely Case
System instability, kernel crashes, or denial of service when debugfs files are accessed after vhci device release.
If Mitigated
No impact if debugfs access is properly controlled or if the vulnerability is patched before exploitation.
🎯 Exploit Status
Exploitation requires local access to debugfs interface and timing to access files after vhci_release() but before hdev->debugfs cleanup. No public exploits known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel trees via provided git commits: 1503756fffe76d5aea2371a4b8dee20c3577bcfd, 28010791193a4503f054e8d69a950ef815deb539, 7cc08f2f127b9a66f46ea918e34353811a7cb378, bd75eba88e88d7b896b0c737b02a74a12afc235f
Vendor Advisory: https://git.kernel.org/stable/c/1503756fffe76d5aea2371a4b8dee20c3577bcfd
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Check with your distribution for specific kernel updates. 3. Reboot system after kernel update. 4. Verify debugfs files are properly cleaned up.
🔧 Temporary Workarounds
Disable debugfs access
linuxPrevent access to debugfs interface to block potential exploitation vectors.
umount /sys/kernel/debug
echo 0 > /proc/sys/kernel/debug
Restrict debugfs permissions
linuxLimit access to debugfs to root only to reduce attack surface.
mount -o remount,ro,noexec,nosuid /sys/kernel/debug
chmod 700 /sys/kernel/debug
🧯 If You Can't Patch
- Unload Bluetooth vhci module if not required: 'rmmod hci_vhci'
- Implement strict access controls on debugfs directory to prevent unauthorized access
🔍 How to Verify
Check if Vulnerable:
Check if debugfs contains vhci-related files after vhci device operations: 'ls -la /sys/kernel/debug/bluetooth/*vhci*' and monitor for orphaned debugfs entries.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits or test vhci device creation/deletion cycle while monitoring debugfs entries.📡 Detection & Monitoring
Log Indicators:
- Kernel oops messages related to Bluetooth vhci
- Use-after-free errors in kernel logs
- Debugfs access errors
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
source="kernel" AND ("vhci" OR "use-after-free" OR "debugfs")