LiveActive security incident?Get immediate response
CVE Record

CVE-2025-39863: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work The brcmf_btcoex_detach() only shuts down the btcoex timer, if the flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which runs as timer handler, sets timer_on to false. This creates critical race conditions: 1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc() is executing, it may observe timer_on as false and skip the call to timer_shutdown_sync(). 2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info worker after the cancel_work_sync() has been executed, resulting in use-after-free bugs. The use-after-free bugs occur in two distinct scenarios, depending on the timing of when the brcmf_btcoex_info struct is freed relative to the execution of its worker thread. Scenario 1: Freed before the worker is scheduled The brcmf_btcoex_info is deallocated before the worker is scheduled. A race condition can occur when schedule_work(&bt_local->work) is called after the target memory has been freed. The sequence of events is detailed below: CPU0 | CPU1 brcmf_btcoex_detach | brcmf_btcoex_timerfunc | bt_local->timer_on = false; if (cfg->btcoex->timer_on) | ... | cancel_work_sync(); | ... | kfree(cfg->btcoex); // FREE | | schedule_work(&bt_local->work); // USE Scenario 2: Freed after the worker is scheduled The brcmf_btcoex_info is freed after the worker has been scheduled but before or during its execution. In this case, statements within the brcmf_btcoex_handler() — such as the container_of macro and subsequent dereferences of the brcmf_btcoex_info object will cause a use-after-free access. The following timeline illustrates this scenario: CPU0 | CPU1 brcmf_btcoex_detach | brcmf_btcoex_timerfunc | bt_local->timer_on = false; if (cfg->btcoex->timer_on) | ... | cancel_work_sync(); | ... | schedule_work(); // Reschedule | kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker /* | btci = container_of(....); // USE The kfree() above could | ... also occur at any point | btci-> // USE during the worker's execution| */ | To resolve the race conditions, drop the conditional check and call timer_shutdown_sync() directly. It can deactivate the timer reliably, regardless of its current state. Once stopped, the timer_on state is then set to false.

HighCVSS 7.8Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2025-39863 is a Linux kernel bug in the Broadcom brcmfmac Wi-Fi driver. A timing race during Bluetooth coexistence cleanup can use memory after it has been freed. A local authenticated user may be able to crash the system or potentially gain kernel-level impact.

Executive priority

Patch in the normal high-priority kernel maintenance lane, faster for shared workstations, developer laptops, appliances, or systems with untrusted local users. No public active exploitation is evidenced in the provided sources.

Technical view

The flaw is a CWE-416 use-after-free in brcmf_btcoex_detach and brcmf_btcoex_timerfunc. The timer handler can mark timer_on false and later reschedule work after cancel_work_sync and kfree, leaving brcmf_btcoex_handler operating on freed brcmf_btcoex_info memory. The documented fix calls timer_shutdown_sync unconditionally before clearing timer state.

Likely exposure

Exposure is likely limited to Linux systems using the brcmfmac Broadcom Wi-Fi driver with Bluetooth coexistence paths. The CVE lists Linux kernel versions including 5.15.210, 6.1.167, 6.6.105, 6.12.46, 6.16.6, and 6.17, but distro package mappings are not provided.

Exploitation context

The CVSS vector is local, low complexity, low privilege, and no user interaction. The source bundle does not show CISA KEV listing or active exploitation evidence. Treat it as a serious local kernel privilege and stability risk, not a confirmed in-the-wild campaign.

Researcher notes

The root issue is cleanup ordering across timer, workqueue, and object lifetime. The source describes two race windows: scheduling work after free, and freeing after work is scheduled but before or during handler execution. Patch verification should focus on unconditional timer_shutdown_sync before work cancellation and free.

Mitigation direction

  • Prioritize kernel updates containing the referenced stable brcmfmac fixes.
  • Check Linux distribution and device vendor advisories for packaged fixed kernels.
  • Inventory systems using Broadcom brcmfmac Wi-Fi hardware or modules.
  • Restrict local shell access on affected systems until patched.
  • If patching is delayed, evaluate disabling unused affected wireless hardware.

Validation and detection

  • Confirm whether systems load or depend on the brcmfmac driver.
  • Map running kernels to vendor advisories or referenced stable commits.
  • Verify the fix removes the conditional timer shutdown path.
  • Regression test Wi-Fi and Bluetooth coexistence after kernel updates.
  • Review crash logs for brcmfmac or btcoex-related kernel faults.
Prepared
Confidence
high
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-416: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-39863 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
7Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.8CVSS 3.1HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H1.85.9CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

7.8High
CVSS 3.1 vector shape for CVE-2025-39863Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux61730d4dfffc2cc9d3a49fad87633008105c18ba, 61730d4dfffc2cc9d3a49fad87633008105c18ba, 61730d4dfffc2cc9d3a49fad87633008105c18ba, 61730d4dfffc2cc9d3a49fad87633008105c18ba, 61730d4dfffc2cc9d3a49fad87633008105c18ba, 61730d4dfffc2cc9d3a49fad87633008105c18baunaffected
LinuxLinux3.10, 0, 5.15.210, 6.1.167, 6.6.105, 6.12.46, 6.16.6, 6.17affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-416 · source CWE mapping

Use After Free

Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.