{"id":"CVE-2025-39863","summary":"wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work\n\nThe brcmf_btcoex_detach() only shuts down the btcoex timer, if the\nflag timer_on is false. However, the brcmf_btcoex_timerfunc(), which\nruns as timer handler, sets timer_on to false. This creates critical\nrace conditions:\n\n1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()\nis executing, it may observe timer_on as false and skip the call to\ntimer_shutdown_sync().\n\n2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info\nworker after the cancel_work_sync() has been executed, resulting in\nuse-after-free bugs.\n\nThe use-after-free bugs occur in two distinct scenarios, depending on\nthe timing of when the brcmf_btcoex_info struct is freed relative to\nthe execution of its worker thread.\n\nScenario 1: Freed before the worker is scheduled\n\nThe brcmf_btcoex_info is deallocated before the worker is scheduled.\nA race condition can occur when schedule_work(&bt_local-\u003ework) is\ncalled after the target memory has been freed. The sequence of events\nis detailed below:\n\nCPU0                           | CPU1\nbrcmf_btcoex_detach            | brcmf_btcoex_timerfunc\n                               |   bt_local-\u003etimer_on = false;\n  if (cfg-\u003ebtcoex-\u003etimer_on)   |\n    ...                        |\n  cancel_work_sync();          |\n  ...                          |\n  kfree(cfg-\u003ebtcoex); // FREE  |\n                               |   schedule_work(&bt_local-\u003ework); // USE\n\nScenario 2: Freed after the worker is scheduled\n\nThe brcmf_btcoex_info is freed after the worker has been scheduled\nbut before or during its execution. In this case, statements within\nthe brcmf_btcoex_handler() — such as the container_of macro and\nsubsequent dereferences of the brcmf_btcoex_info object will cause\na use-after-free access. The following timeline illustrates this\nscenario:\n\nCPU0                            | CPU1\nbrcmf_btcoex_detach             | brcmf_btcoex_timerfunc\n                                |   bt_local-\u003etimer_on = false;\n  if (cfg-\u003ebtcoex-\u003etimer_on)    |\n    ...                         |\n  cancel_work_sync();           |\n  ...                           |   schedule_work(); // Reschedule\n                                |\n  kfree(cfg-\u003ebtcoex); // FREE   |   brcmf_btcoex_handler() // Worker\n  /*                            |     btci = container_of(....); // USE\n   The kfree() above could      |     ...\n   also occur at any point      |     btci-\u003e // USE\n   during the worker's execution|\n   */                           |\n\nTo resolve the race conditions, drop the conditional check and call\ntimer_shutdown_sync() directly. It can deactivate the timer reliably,\nregardless of its current state. Once stopped, the timer_on state is\nthen set to false.","modified":"2026-04-02T12:48:11.316541Z","published":"2025-09-19T15:26:33.069Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03614-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:3751-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4141-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39863.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2f6fbc8e04ca1d1d5c560be694199f847229c625"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3e789f8475f6c857c88de5c5bf4b24b11a477dd7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9cb83d4be0b9b697eae93d321e0da999f9cdfcfc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ae58f70bde0433f27ef4b388ab50634736607bf6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f1150153c4e5940fe49ab51136343c5b4fe49d63"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39863.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39863"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"61730d4dfffc2cc9d3a49fad87633008105c18ba"},{"fixed":"ae58f70bde0433f27ef4b388ab50634736607bf6"},{"fixed":"f1150153c4e5940fe49ab51136343c5b4fe49d63"},{"fixed":"3e789f8475f6c857c88de5c5bf4b24b11a477dd7"},{"fixed":"2f6fbc8e04ca1d1d5c560be694199f847229c625"},{"fixed":"9cb83d4be0b9b697eae93d321e0da999f9cdfcfc"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39863.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}