CVE-2022-49754

CVE-2022-49754 is a buffer overflow vulnerability in the Linux kernel's Bluetooth subsystem, specifically in the mgmt_mesh_add() function within net/bluetooth/mgmt_util.c. The issue occurs because the destination buffer 'mesh_tx->param', an array of 48 bytes defined as u8 param[sizeof(struct mgmt_cp_mesh_send) + 29], receives data via memcpy that can be up to 50 bytes long. This stems from the caller mesh_send rejecting inputs only when len exceeds MGMT_MESH_SEND_SIZE + 31 (19 + 31 = 50), allowing overflows of 2 bytes. The vulnerability is classified under CWE-120 with a CVSS score of 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data, modification of system integrity, and denial of service through availability disruption, potentially leading to arbitrary code execution or kernel compromise.

Kernel patches addressing this issue are available in the following stable commits: https://git.kernel.org/stable/c/2185e0fdbb2137f22a9dd9fcbf6481400d56299b and https://git.kernel.org/stable/c/ed818fd8c531abf561b379995ee7cc4c68029464. Security practitioners should ensure affected Linux kernel versions are updated to incorporate these fixes.