PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-39981 Unknown Vendor CVE debrief

CVE-2025-39981 describes a Linux kernel Bluetooth MGMT memory-safety bug in the pending-command lifecycle. The supplied kernel fix adds validity checks and tighter list handling so a pending command cannot be freed while callbacks are still processing it, addressing possible use-after-free conditions observed in KASAN traces. For defenders, this is a kernel-stability issue with potential security implications, so affected Linux environments should track the upstream fix and vendor backports.

Vendor
Unknown Vendor
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2025-10-15
Original CVE updated
2026-05-17
Advisory published
2025-10-15
Advisory updated
2026-05-17

Who should care

Linux kernel maintainers, distro security teams, device and endpoint administrators, and anyone operating Linux systems with Bluetooth enabled or relying on the Bluetooth management stack.

Technical summary

The issue is in net/bluetooth/mgmt and related mgmt_util paths. A struct mgmt_pending object could be removed and freed while another path was still using it, creating a TOCTOU window and possible use-after-free. The fix introduces mgmt_pending_valid checks and removes the command from the pending list while holding mgmt_pending_lock, reducing the chance that completion callbacks or synchronous work access freed memory.

Defensive priority

High for Linux fleets that include Bluetooth support, especially where kernel updates are centrally managed. The supplied report shows a KASAN slab-use-after-free in the Bluetooth management path, so remediation should be prioritized through upstream or vendor kernel updates.

Recommended defensive actions

  • Check whether your kernel build includes the upstream Bluetooth MGMT fix referenced by the supplied kernel commits.
  • Apply vendor kernel updates or backports that cover the mgmt_pending validity and locking changes.
  • Prioritize reboot-based rollout for systems that keep Bluetooth enabled and regularly use the management interface.
  • Monitor kernel advisories and distro errata for confirmation that the fix is included in your release stream.
  • If you maintain custom kernels, review any local changes around net/bluetooth/mgmt.c and mgmt_util.c for equivalent race conditions.

Evidence notes

The supplied CVE description states the bug is resolved in Linux kernel Bluetooth MGMT by fixing possible UAFs involving struct mgmt_pending. The record’s metadata cites four upstream stable kernel commit URLs as references, and NVD marks the vulnerability status as Deferred. PublishedAt is 2025-10-15T08:15:36.017Z and ModifiedAt is 2026-05-17T16:16:14.497Z; those dates are used here only as record timing context.

Official resources

Public CVE record published 2025-10-15T08:15:36.017Z; last modified 2026-05-17T16:16:14.497Z. NVD metadata in the supplied source marks the vulnerability status as Deferred.