{
  "threat_severity" : "Low",
  "public_date" : "2026-01-13T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Bluetooth: btusb: revert use of devm_kzalloc in btusb",
    "id" : "2429054",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2429054"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-826",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: btusb: revert use of devm_kzalloc in btusb\nThis reverts commit 98921dbd00c4e (\"Bluetooth: Use devm_kzalloc in\nbtusb.c file\").\nIn btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This\nties the lifetime of all the btusb data to the binding of a driver to\none interface, INTF. In a driver that binds to other interfaces, ISOC\nand DIAG, this is an accident waiting to happen.\nThe issue is revealed in btusb_disconnect(), where calling\nusb_driver_release_interface(&btusb_driver, data->intf) will have devm\nfree the data that is also being used by the other interfaces of the\ndriver that may not be released yet.\nTo fix this, revert the use of devm and go back to freeing memory\nexplicitly.", "A use-after-free flaw was found in the Linux kernel's Bluetooth USB driver. The btusb driver binds to multiple USB interfaces (INTF, ISOC, DIAG) but allocates its data structure with devm_kzalloc() tied to a single interface. When that interface is released, the memory is freed while other interfaces still reference it, causing use-after-free." ],
  "statement" : "This affects systems with USB Bluetooth adapters. The issue occurs during Bluetooth disconnect operations when multiple interfaces are involved. The fix reverts to explicit memory management to properly handle multi-interface lifetimes.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-71082\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-71082\nhttps://lore.kernel.org/linux-cve-announce/2026011339-CVE-2025-71082-ef8a@gregkh/T" ],
  "name" : "CVE-2025-71082",
  "csaw" : false
}