CVE-2022-49474

CVE-2022-49474 is a use-after-free vulnerability in the Linux kernel's Bluetooth subsystem, specifically affecting the SCO (Synchronous Connection-Oriented) socket handling in sco_sock_connect() and sco_sock_timeout(). The issue arises from a race condition when connecting the same socket twice consecutively, resulting in two sco_conn objects being created but only one associated with the socket. If the socket is closed before the SCO connection is established, the timer for the dangling sco_conn object is not canceled, leading to a use-after-free when the timer callback accesses the freed socket object. This is confirmed by a kernel call trace involving kasan_report and refcount_inc in sco_sock_timeout().

A local attacker with low privileges can exploit this vulnerability due to its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The attacker must trigger the race by rapidly connecting the same SCO socket twice and closing it before the connection establishes, causing the timer callback to access freed memory. Successful exploitation could result in high confidentiality, integrity, and availability impacts, such as arbitrary code execution, data corruption, or system denial of service.

Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, including 36c644c63bfcaee2d3a426f45e89a9cd09799318, 390d82733a953c1fabf3de9c9618091a7a9c90a6, 537f619dea4e3fa8ed1f8f938abffe3615794bcc, 65d347cb39e2e6bd0c2a745ad7c928998ebb0162, and 6f55fac0af3531cf60d11369454c41f5fc81ab3f, which fix the dangling sco_conn and use-after-free issues. Security practitioners should update affected Linux kernels to versions incorporating these fixes and monitor for Bluetooth SCO usage in local environments.