2429054 – (CVE-2025-71082) CVE-2025-71082 kernel: Bluetooth: btusb: revert use of devm_kzalloc in btusb

Bug 2429054 (CVE-2025-71082) - CVE-2025-71082 kernel: Bluetooth: btusb: revert use of devm_kzalloc in btusb

Summary: CVE-2025-71082 kernel: Bluetooth: btusb: revert use of devm_kzalloc in btusb

Keywords:
Status:	NEW
Alias:	CVE-2025-71082
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-13 16:03 UTC by OSIDB Bzimport
Modified:	2026-01-14 09:46 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-13 16:03:28 UTC

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btusb: revert use of devm_kzalloc in btusb

This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in
btusb.c file").

In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This
ties the lifetime of all the btusb data to the binding of a driver to
one interface, INTF. In a driver that binds to other interfaces, ISOC
and DIAG, this is an accident waiting to happen.

The issue is revealed in btusb_disconnect(), where calling
usb_driver_release_interface(&btusb_driver, data->intf) will have devm
free the data that is also being used by the other interfaces of the
driver that may not be released yet.

To fix this, revert the use of devm and go back to freeing memory
explicitly.

Comment 1 Mauro Matteo Cascella 2026-01-14 09:37:40 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026011339-CVE-2025-71082-ef8a@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.