CVE-2025-68305: Bluetooth: hci_sock: Prevent race in socket write iter and sock bind
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sock: Prevent race in socket write iter and sock bind
There is a potential race condition between sock bind and socket write
iter. bind may free the same cmd via mgmt_pending before write iter sends
the cmd, just as syzbot reported in UAF[1].
Here we use hci_dev_lock to synchronize the two, thereby avoiding the
UAF mentioned in [1].
[1]
syzbot reported:
BUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316
Read of size 8 at addr ffff888077164818 by task syz.0.17/5989
Call Trace:
mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316
set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
sock_write_iter+0x279/0x360 net/socket.c:1195
Allocated by task 5989:
mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296
set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
sock_write_iter+0x279/0x360 net/socket.c:1195
Freed by task 5991:
mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257
mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477
hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314
Security readout for executives and security teams
Plain-English summary
CVE-2025-68305 is a Linux kernel Bluetooth bug involving a race condition that can cause use-after-free memory access. The public record does not provide CVSS, exploitation requirements, or impact beyond the kernel bug report. Treat it as relevant for Linux systems using Bluetooth, but not as confirmed actively exploited.
Executive priority
Patch during normal security maintenance, faster for Bluetooth-enabled Linux fleets. Escalate if vendor guidance later confirms privilege escalation, remote reachability, or exploitation. Current public evidence does not support emergency treatment.
Technical view
The flaw is in Linux Bluetooth hci_sock handling. A race between socket bind and socket write_iter can free a management command while another path still uses it. The fix synchronizes these paths with hci_dev_lock. The report is based on syzbot/KASAN evidence showing slab-use-after-free in mgmt_pending_remove.
Likely exposure
Exposure is most likely on affected Linux kernels with Bluetooth/HCI management functionality present. The supplied version data is incomplete and somewhat ambiguous, so confirm against vendor kernel advisories and the referenced stable commits.
Exploitation context
No source indicates active exploitation, and KEV is false. The sources do not state whether exploitation is remote, local, authenticated, or practical outside syzbot-style race testing. Impact should be assessed as a kernel memory-safety issue with unclear exploitability.
Researcher notes
The public record provides a kernel commit description and syzbot trace, but no CVSS, CWE, exploit status, or detailed affected-range semantics. Avoid assuming exploitability. Focus review on hci_sock_sendmsg, hci_sock_bind, mgmt_pending lifecycle, and stable backports.
Mitigation direction
Check your Linux vendor advisory for CVE-2025-68305 coverage.
Update to a kernel package containing the referenced stable fix.
Prioritize systems where Bluetooth is enabled or required.
If patching is delayed, review vendor guidance on reducing Bluetooth exposure.
Validation and detection
Inventory Linux kernel versions across endpoints, servers, and appliances.
Identify systems with Bluetooth support enabled or loaded.
Compare installed kernel changelogs against the referenced stable commits.
Confirm vendor packages explicitly mention this CVE or the hci_sock race fix.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-68305 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.