CVE-2022-49136
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set hci_cmd_sync_queue shall return an error if HCI_UNREGISTER flag has been set as that means hci_unregister_dev has been called so it will likely cause a uaf after the timeout as the hdev will be freed.
Security Summary
CVE-2022-49136 is a use-after-free (CWE-416) vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the hci_sync component. The flaw occurs because the hci_cmd_sync_queue function does not return an error when the HCI_UNREGISTER flag is set, which indicates that hci_unregister_dev has been called. This can lead to a use-after-free of the hdev structure after a timeout, once the device has been freed. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by triggering command queuing in hci_sync after HCI_UNREGISTER is set. Successful exploitation could allow the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution or system crashes due to the use-after-free condition.
Mitigation is provided through kernel patches, including commits 0b94f2651f56b9e4aa5f012b0d7eb57308c773cf and 1c69ef84a808676cceb69210addf5df45b741323 available at git.kernel.org/stable. These fixes ensure that hci_cmd_sync_queue returns an error when HCI_UNREGISTER is set, preventing command queuing after device unregister and avoiding the subsequent use-after-free. Security practitioners should apply the relevant stable kernel updates to affected systems.
Details
- CWE(s)