LiveActive security incident?Get immediate response
CVE Record

CVE-2025-68305: Bluetooth: hci_sock: Prevent race in socket write iter and sock bind

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Prevent race in socket write iter and sock bind There is a potential race condition between sock bind and socket write iter. bind may free the same cmd via mgmt_pending before write iter sends the cmd, just as syzbot reported in UAF[1]. Here we use hci_dev_lock to synchronize the two, thereby avoiding the UAF mentioned in [1]. [1] syzbot reported: BUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316 Read of size 8 at addr ffff888077164818 by task syz.0.17/5989 Call Trace: mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316 set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 sock_write_iter+0x279/0x360 net/socket.c:1195 Allocated by task 5989: mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296 set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 sock_write_iter+0x279/0x360 net/socket.c:1195 Freed by task 5991: mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline] mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257 mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2025-68305 is a Linux kernel Bluetooth bug involving a race condition that can cause use-after-free memory access. The public record does not provide CVSS, exploitation requirements, or impact beyond the kernel bug report. Treat it as relevant for Linux systems using Bluetooth, but not as confirmed actively exploited.

Executive priority

Patch during normal security maintenance, faster for Bluetooth-enabled Linux fleets. Escalate if vendor guidance later confirms privilege escalation, remote reachability, or exploitation. Current public evidence does not support emergency treatment.

Technical view

The flaw is in Linux Bluetooth hci_sock handling. A race between socket bind and socket write_iter can free a management command while another path still uses it. The fix synchronizes these paths with hci_dev_lock. The report is based on syzbot/KASAN evidence showing slab-use-after-free in mgmt_pending_remove.

Likely exposure

Exposure is most likely on affected Linux kernels with Bluetooth/HCI management functionality present. The supplied version data is incomplete and somewhat ambiguous, so confirm against vendor kernel advisories and the referenced stable commits.

Exploitation context

No source indicates active exploitation, and KEV is false. The sources do not state whether exploitation is remote, local, authenticated, or practical outside syzbot-style race testing. Impact should be assessed as a kernel memory-safety issue with unclear exploitability.

Researcher notes

The public record provides a kernel commit description and syzbot trace, but no CVSS, CWE, exploit status, or detailed affected-range semantics. Avoid assuming exploitability. Focus review on hci_sock_sendmsg, hci_sock_bind, mgmt_pending lifecycle, and stable backports.

Mitigation direction

  • Check your Linux vendor advisory for CVE-2025-68305 coverage.
  • Update to a kernel package containing the referenced stable fix.
  • Prioritize systems where Bluetooth is enabled or required.
  • If patching is delayed, review vendor guidance on reducing Bluetooth exposure.

Validation and detection

  • Inventory Linux kernel versions across endpoints, servers, and appliances.
  • Identify systems with Bluetooth support enabled or loaded.
  • Compare installed kernel changelogs against the referenced stable commits.
  • Confirm vendor packages explicitly mention this CVE or the hci_sock race fix.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-68305 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
5Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxbdd56875c6926d8009914f427df71797693e90d4, 4e83f2dbb2bf677e614109df24426c4dded472d4, 6fe26f694c824b8a4dbf50c635bee1302e3f099c, 6fe26f694c824b8a4dbf50c635bee1302e3f099c, d7882db79135c829a922daf3571f33ea1e056ae3, 6.6.94, 6.12.34, 6.15.3unaffected
LinuxLinux6.16, 0, 6.6.119, 6.12.61, 6.17.11, 6.18affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.