Updated: 2025-12-28 03:38:42.750109
Description:
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work The brcmf_btcoex_detach() only shuts down the btcoex timer, if the flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which runs as timer handler, sets timer_on to false. This creates critical race conditions: 1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc() is executing, it may observe timer_on as false and skip the call to timer_shutdown_sync(). 2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info worker after the cancel_work_sync() has been executed, resulting in use-after-free bugs. The use-after-free bugs occur in two distinct scenarios, depending on the timing of when the brcmf_btcoex_info struct is freed relative to the execution of its worker thread. Scenario 1: Freed before the worker is scheduled The brcmf_btcoex_info is deallocated before the worker is scheduled. A race condition can occur when schedule_work(&bt_local->work) is called after the target memory has been freed. The sequence of events is detailed below: CPU0 | CPU1 brcmf_btcoex_detach | brcmf_btcoex_timerfunc | bt_local->timer_on = false; if (cfg->btcoex->timer_on) | ... | cancel_work_sync(); | ... | kfree(cfg->btcoex); // FREE | | schedule_work(&bt_local->work); // USE Scenario 2: Freed after the worker is scheduled The brcmf_btcoex_info is freed after the worker has been scheduled but before or during its execution. In this case, statements within the brcmf_btcoex_handler() — such as the container_of macro and subsequent dereferences of the brcmf_btcoex_info object will cause a use-after-free access. The following timeline illustrates this scenario: CPU0 | CPU1 brcmf_btcoex_detach | brcmf_btcoex_timerfunc | bt_local->timer_on = false; if (cfg->btcoex->timer_on) | ... | cancel_work_sync(); | ... | schedule_work(); // Reschedule | kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker /* | btci = container_of(....); // USE The kfree() above could | ... also occur at any point | btci-> // USE during the worker's execution| */ | To resolve the race conditions, drop the conditional check and call timer_shutdown_sync() directly. It can deactivate the timer reliably, regardless of its current state. Once stopped, the timer_on state is then set to false.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | HIGH | 7.8 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | kernel | 5.14.0 | 7.8 | HIGH | Needs Triage | 2025-12-28 08:34:42 | ||
| CentOS 7 ELS | kernel | 3.10.0 | 7.8 | HIGH | In Testing | 2026-01-06 15:45:09 | ||
| CentOS 8.4 ELS | kernel | 4.18.0 | 7.8 | HIGH | Needs Triage | 2025-12-28 08:34:40 | ||
| CentOS 8.5 ELS | kernel | 4.18.0 | 7.8 | HIGH | Needs Triage | 2025-12-28 08:34:38 | ||
| CentOS Stream 8 ELS | kernel | 4.18.0 | 7.8 | HIGH | Needs Triage | 2025-12-28 08:34:45 | ||
| CloudLinux 7 ELS | kernel | 3.10.0 | 7.8 | HIGH | Needs Triage | 2025-12-28 08:34:47 | ||
| Oracle Linux 7 ELS | kernel | 3.10.0 | 7.8 | HIGH | Released | CLSA-2026:1767867153 | 2026-01-08 16:26:30 | |
| Oracle Linux 7 ELS | kernel-uek | 5.4.17 | 7.8 | HIGH | Needs Triage | 2025-12-28 06:59:32 | ||
| RHEL 7 ELS | kernel | 3.10.0 | 7.8 | HIGH | Released | CLSA-2026:1767867718 | 2026-01-08 16:26:28 | |
| TuxCare 9.6 ESU | kernel | 5.14.0 | 7.8 | HIGH | Needs Triage | 2025-12-28 08:34:41 |