In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition In btsdio_probe, the data->work is bound with btsdio_work. It will be started in btsdio_send_frame. If the btsdio_remove runs with a unfinished work, there may be a race condition that hdev is freed but used in btsdio_work. Fix it by canceling the work before do cleanup in btsdio_remove.
2025-05-10T15:15:58.587
2025-11-12T20:42:21.067
Analyzed
416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSSv3.1: 7.8 (HIGH)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Operating System | linux | linux_kernel | < 4.14.326 | Yes |
| Operating System | linux | linux_kernel | < 4.19.295 | Yes |
| Operating System | linux | linux_kernel | < 5.4.257 | Yes |
| Operating System | linux | linux_kernel | < 5.10.195 | Yes |
| Operating System | linux | linux_kernel | < 5.15.131 | Yes |
| Operating System | linux | linux_kernel | < 6.1.52 | Yes |
| Operating System | linux | linux_kernel | < 6.3 | Yes |
| Operating System | linux | linux_kernel | 6.3 | Yes |
| Operating System | linux | linux_kernel | 6.3 | Yes |
| Operating System | linux | linux_kernel | 6.3 | Yes |
| Operating System | linux | linux_kernel | 6.3 | Yes |
| Operating System | linux | linux_kernel | 6.3 | Yes |
| Operating System | linux | linux_kernel | 6.3 | Yes |