CVE-2025-39863
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work The brcmf_btcoex_detach() only shuts down the btcoex timer, if the flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which runs as timer handler, sets timer_on to false. This creates critical race conditions: 1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc() is executing, it may observe timer_on as false and skip the call to timer_shutdown_sync(). 2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info worker after the cancel_work_sync() has been executed, resulting in use-after-free bugs. The use-after-free bugs occur in two distinct scenarios, depending on the timing of when the brcmf_btcoex_info struct is freed relative to the execution of its worker thread. Scenario 1: Freed before the worker is scheduled The brcmf_btcoex_info is deallocated before the worker is scheduled. A race condition can occur when schedule_work(&bt_local->work) is called after the target memory has been freed. The sequence of events is detailed below: CPU0 | CPU1 brcmf_btcoex_detach | brcmf_btcoex_timerfunc | bt_local->timer_on = false; if (cfg->btcoex->timer_on) | ... | cancel_work_sync(); | ... | kfree(cfg->btcoex); // FREE | | schedule_work(&bt_local->work); // USE Scenario 2: Freed after the worker is scheduled The brcmf_btcoex_info is freed after the worker has been scheduled but before or during its execution. In this case, statements within the brcmf_btcoex_handler() - such as the container_of macro and subsequent dereferences of the brcmf_btcoex_info object will cause a use-after-free access. The following timeline illustrates this scenario: CPU0 | CPU1 brcmf_btcoex_detach | brcmf_btcoex_timerfunc | bt_local->timer_on = false; if (cfg->btcoex->timer_on) | ... | cancel_work_sync(); | ... | schedule_work(); // Reschedule | kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker /* | btci = container_of(....); // USE The kfree() above could | ... also occur at any point | btci-> // USE during the worker's execution| */ | To resolve the race conditions, drop the conditional check and call timer_shutdown_sync() directly. It can deactivate the timer reliably, regardless of its current state. Once stopped, the timer_on state is then set to false.
Analysis
Use-after-free in the Linux kernel's Broadcom FullMAC Wi-Fi driver (brcmfmac) allows local authenticated attackers with low privileges to achieve code execution, elevate privileges, or cause denial of service through race conditions in the Bluetooth coexistence timer handler. The vulnerability affects multiple kernel versions including 6.17 release candidates, carries a CVSS score of 7.8 (High), and has an EPSS score of 0.02% (4th percentile). Vendor patches are available across stable kernel branches, and no public exploit has been identified at time of analysis.
Technical Context
The brcmfmac driver manages Wi-Fi functionality for Broadcom FullMAC chipsets in Linux. This CWE-416 (Use After Free) vulnerability arises from improper synchronization between the brcmf_btcoex_detach() cleanup function and the brcmf_btcoex_timerfunc() timer handler. The race condition occurs because detach only calls timer_shutdown_sync() when timer_on is true, but the timer handler sets timer_on to false during execution, creating a window where the timer can reschedule work after cancel_work_sync() completes. The freed brcmf_btcoex_info structure can then be accessed either during schedule_work() or within brcmf_btcoex_handler() via container_of macro and subsequent dereferences. Affected CPE configurations span multiple kernel version ranges including cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* and specifically versions 6.17-rc1 through 6.17-rc4.
Affected Products
The Linux kernel is affected across multiple stable branches and development versions. Specifically confirmed via CPE entries are kernel versions in continuous ranges prior to patched releases, as well as release candidates 6.17-rc1, 6.17-rc2, 6.17-rc3, and 6.17-rc4. The vulnerability impacts systems using the Broadcom FullMAC wireless driver (brcmfmac module) with Bluetooth coexistence functionality enabled. Ubuntu has issued security notices USN-8126-1 and USN-8125-1 addressing this CVE in their kernel packages. All Linux distributions incorporating the affected brcmfmac driver code between the vulnerable commit introduction and stable branch patches should be considered at risk.
Remediation
Upgrade to patched Linux kernel versions containing commits 2f6fbc8e04ca, 3e789f8475f6, 9cb83d4be0b9, ae58f70bde04, or f1150153c4e5 available from https://git.kernel.org/stable/. Ubuntu users should apply updates per USN-8126-1 (https://ubuntu.com/security/notices/USN-8126-1) and USN-8125-1 (https://ubuntu.com/security/notices/USN-8125-1). The fix eliminates the conditional timer_on check in brcmf_btcoex_detach() and calls timer_shutdown_sync() unconditionally, ensuring reliable timer deactivation regardless of state. Until patching is complete, consider disabling the brcmfmac module if Broadcom Wi-Fi hardware is not required, or restrict local user access on affected systems. No effective runtime workaround exists that preserves driver functionality while mitigating the race condition.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today