CVE-2025-39863: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
The brcmf_btcoex_detach() only shuts down the btcoex timer, if the
flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which
runs as timer handler, sets timer_on to false. This creates critical
race conditions:
1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()
is executing, it may observe timer_on as false and skip the call to
timer_shutdown_sync().
2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info
worker after the cancel_work_sync() has been executed, resulting in
use-after-free bugs.
The use-after-free bugs occur in two distinct scenarios, depending on
the timing of when the brcmf_btcoex_info struct is freed relative to
the execution of its worker thread.
Scenario 1: Freed before the worker is scheduled
The brcmf_btcoex_info is deallocated before the worker is scheduled.
A race condition can occur when schedule_work(&bt_local->work) is
called after the target memory has been freed. The sequence of events
is detailed below:
CPU0 | CPU1
brcmf_btcoex_detach | brcmf_btcoex_timerfunc
| bt_local->timer_on = false;
if (cfg->btcoex->timer_on) |
... |
cancel_work_sync(); |
... |
kfree(cfg->btcoex); // FREE |
| schedule_work(&bt_local->work); // USE
Scenario 2: Freed after the worker is scheduled
The brcmf_btcoex_info is freed after the worker has been scheduled
but before or during its execution. In this case, statements within
the brcmf_btcoex_handler() — such as the container_of macro and
subsequent dereferences of the brcmf_btcoex_info object will cause
a use-after-free access. The following timeline illustrates this
scenario:
CPU0 | CPU1
brcmf_btcoex_detach | brcmf_btcoex_timerfunc
| bt_local->timer_on = false;
if (cfg->btcoex->timer_on) |
... |
cancel_work_sync(); |
... | schedule_work(); // Reschedule
|
kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker
/* | btci = container_of(....); // USE
The kfree() above could | ...
also occur at any point | btci-> // USE
during the worker's execution|
*/ |
To resolve the race conditions, drop the conditional check and call
timer_shutdown_sync() directly. It can deactivate the timer reliably,
regardless of its current state. Once stopped, the timer_on state is
then set to false.
Security readout for executives and security teams
Plain-English summary
CVE-2025-39863 is a Linux kernel bug in the Broadcom brcmfmac Wi-Fi driver. A timing race during Bluetooth coexistence cleanup can use memory after it has been freed. A local authenticated user may be able to crash the system or potentially gain kernel-level impact.
Executive priority
Patch in the normal high-priority kernel maintenance lane, faster for shared workstations, developer laptops, appliances, or systems with untrusted local users. No public active exploitation is evidenced in the provided sources.
Technical view
The flaw is a CWE-416 use-after-free in brcmf_btcoex_detach and brcmf_btcoex_timerfunc. The timer handler can mark timer_on false and later reschedule work after cancel_work_sync and kfree, leaving brcmf_btcoex_handler operating on freed brcmf_btcoex_info memory. The documented fix calls timer_shutdown_sync unconditionally before clearing timer state.
Likely exposure
Exposure is likely limited to Linux systems using the brcmfmac Broadcom Wi-Fi driver with Bluetooth coexistence paths. The CVE lists Linux kernel versions including 5.15.210, 6.1.167, 6.6.105, 6.12.46, 6.16.6, and 6.17, but distro package mappings are not provided.
Exploitation context
The CVSS vector is local, low complexity, low privilege, and no user interaction. The source bundle does not show CISA KEV listing or active exploitation evidence. Treat it as a serious local kernel privilege and stability risk, not a confirmed in-the-wild campaign.
Researcher notes
The root issue is cleanup ordering across timer, workqueue, and object lifetime. The source describes two race windows: scheduling work after free, and freeing after work is scheduled but before or during handler execution. Patch verification should focus on unconditional timer_shutdown_sync before work cancellation and free.
Mitigation direction
Prioritize kernel updates containing the referenced stable brcmfmac fixes.
Check Linux distribution and device vendor advisories for packaged fixed kernels.
Inventory systems using Broadcom brcmfmac Wi-Fi hardware or modules.
Restrict local shell access on affected systems until patched.
If patching is delayed, evaluate disabling unused affected wireless hardware.
Validation and detection
Confirm whether systems load or depend on the brcmfmac driver.
Map running kernels to vendor advisories or referenced stable commits.
Verify the fix removes the conditional timer shutdown path.
Regression test Wi-Fi and Bluetooth coexistence after kernel updates.
Review crash logs for brcmfmac or btcoex-related kernel faults.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-416: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
7Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-416 · source CWE mapping
Use After Free
Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.