CVE-2022-49111 (GCVE-0-2022-49111)

Vulnerability from cvelistv5 – Published: 2025-02-26 01:54 – Updated: 2025-12-23 13:21
VLAI?
Title
Bluetooth: Fix use after free in hci_send_acl
Summary
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use after free in hci_send_acl This fixes the following trace caused by receiving HCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without first checking if conn->type is in fact AMP_LINK and in case it is do properly cleanup upper layers with hci_disconn_cfm: ================================================================== BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50 Read of size 8 at addr ffff88800e404818 by task bluetoothd/142 CPU: 0 PID: 142 Comm: bluetoothd Not tainted 5.17.0-rc5-00006-gda4022eeac1a #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x1f/0x150 kasan_report.cold+0x7f/0x11b hci_send_acl+0xaba/0xc50 l2cap_do_send+0x23f/0x3d0 l2cap_chan_send+0xc06/0x2cc0 l2cap_sock_sendmsg+0x201/0x2b0 sock_sendmsg+0xdc/0x110 sock_write_iter+0x20f/0x370 do_iter_readv_writev+0x343/0x690 do_iter_write+0x132/0x640 vfs_writev+0x198/0x570 do_writev+0x202/0x280 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015 RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77 R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580 RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001 </TASK> R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0 Allocated by task 45: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 hci_chan_create+0x9a/0x2f0 l2cap_conn_add.part.0+0x1a/0xdc0 l2cap_connect_cfm+0x236/0x1000 le_conn_complete_evt+0x15a7/0x1db0 hci_le_conn_complete_evt+0x226/0x2c0 hci_le_meta_evt+0x247/0x450 hci_event_packet+0x61b/0xe90 hci_rx_work+0x4d5/0xc50 process_one_work+0x8fb/0x15a0 worker_thread+0x576/0x1240 kthread+0x29d/0x340 ret_from_fork+0x1f/0x30 Freed by task 45: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0xfb/0x130 kfree+0xac/0x350 hci_conn_cleanup+0x101/0x6a0 hci_conn_del+0x27e/0x6c0 hci_disconn_phylink_complete_evt+0xe0/0x120 hci_event_packet+0x812/0xe90 hci_rx_work+0x4d5/0xc50 process_one_work+0x8fb/0x15a0 worker_thread+0x576/0x1240 kthread+0x29d/0x340 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff88800c0f0500 The buggy address is located 24 bytes inside of which belongs to the cache kmalloc-128 of size 128 The buggy address belongs to the page: 128-byte region [ffff88800c0f0500, ffff88800c0f0580) flags: 0x100000000000200(slab|node=0|zone=1) page:00000000fe45cd86 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc0f0 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 raw: 0100000000000200 ffffea00003a2c80 dead000000000004 ffff8880078418c0 page dumped because: kasan: bad access detected ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc Memory state around the buggy address: >ffff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ---truncated---
Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6 , < c41de54b0a963e59e4dd04c029a4a6d73f45ef9c (git)
Affected: 9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6 , < 643a6c26bd32e339d00ad97b8822b6db009e803c (git)
Affected: 9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6 , < 684e505406abaeabe0058e9776f9210bf2747953 (git)
Affected: 9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6 , < 3803d896ddd97c7c16689a5381c0960040727647 (git)
Affected: 9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6 , < 2cc803804ec9a296b3156855d6c8c4ca1c6b84be (git)
Affected: 9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6 , < d404765dffdbd8dcd14758695d0c96c52fb2e624 (git)
Affected: 9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6 , < 4da302b90b96c309987eb9b37c8547f939f042d2 (git)
Affected: 9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6 , < b3c2ea1fd444b3bb7b82bfd2c3a45418f85c2502 (git)
Affected: 9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6 , < f63d24baff787e13b723d86fe036f84bdbc35045 (git)
Create a notification for this product.
    Linux Linux Affected: 3.8
Unaffected: 0 , < 3.8 (semver)
Unaffected: 4.9.311 , ≤ 4.9.* (semver)
Unaffected: 4.14.276 , ≤ 4.14.* (semver)
Unaffected: 4.19.238 , ≤ 4.19.* (semver)
Unaffected: 5.4.189 , ≤ 5.4.* (semver)
Unaffected: 5.10.111 , ≤ 5.10.* (semver)
Unaffected: 5.15.34 , ≤ 5.15.* (semver)
Unaffected: 5.16.20 , ≤ 5.16.* (semver)
Unaffected: 5.17.3 , ≤ 5.17.* (semver)
Unaffected: 5.18 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-49111",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T18:17:22.265818Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:22:35.037Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c41de54b0a963e59e4dd04c029a4a6d73f45ef9c",
              "status": "affected",
              "version": "9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6",
              "versionType": "git"
            },
            {
              "lessThan": "643a6c26bd32e339d00ad97b8822b6db009e803c",
              "status": "affected",
              "version": "9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6",
              "versionType": "git"
            },
            {
              "lessThan": "684e505406abaeabe0058e9776f9210bf2747953",
              "status": "affected",
              "version": "9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6",
              "versionType": "git"
            },
            {
              "lessThan": "3803d896ddd97c7c16689a5381c0960040727647",
              "status": "affected",
              "version": "9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6",
              "versionType": "git"
            },
            {
              "lessThan": "2cc803804ec9a296b3156855d6c8c4ca1c6b84be",
              "status": "affected",
              "version": "9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6",
              "versionType": "git"
            },
            {
              "lessThan": "d404765dffdbd8dcd14758695d0c96c52fb2e624",
              "status": "affected",
              "version": "9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6",
              "versionType": "git"
            },
            {
              "lessThan": "4da302b90b96c309987eb9b37c8547f939f042d2",
              "status": "affected",
              "version": "9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6",
              "versionType": "git"
            },
            {
              "lessThan": "b3c2ea1fd444b3bb7b82bfd2c3a45418f85c2502",
              "status": "affected",
              "version": "9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6",
              "versionType": "git"
            },
            {
              "lessThan": "f63d24baff787e13b723d86fe036f84bdbc35045",
              "status": "affected",
              "version": "9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.311",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.276",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.111",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.311",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.276",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.238",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.189",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.111",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.34",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16.20",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.3",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use after free in hci_send_acl\n\nThis fixes the following trace caused by receiving\nHCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without\nfirst checking if conn-\u003etype is in fact AMP_LINK and in case it is\ndo properly cleanup upper layers with hci_disconn_cfm:\n\n ==================================================================\n    BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50\n    Read of size 8 at addr ffff88800e404818 by task bluetoothd/142\n\n    CPU: 0 PID: 142 Comm: bluetoothd Not tainted\n    5.17.0-rc5-00006-gda4022eeac1a #7\n    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n    rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n    Call Trace:\n     \u003cTASK\u003e\n     dump_stack_lvl+0x45/0x59\n     print_address_description.constprop.0+0x1f/0x150\n     kasan_report.cold+0x7f/0x11b\n     hci_send_acl+0xaba/0xc50\n     l2cap_do_send+0x23f/0x3d0\n     l2cap_chan_send+0xc06/0x2cc0\n     l2cap_sock_sendmsg+0x201/0x2b0\n     sock_sendmsg+0xdc/0x110\n     sock_write_iter+0x20f/0x370\n     do_iter_readv_writev+0x343/0x690\n     do_iter_write+0x132/0x640\n     vfs_writev+0x198/0x570\n     do_writev+0x202/0x280\n     do_syscall_64+0x38/0x90\n     entry_SYSCALL_64_after_hwframe+0x44/0xae\n    RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014\n    Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3\n    0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05\n    \u003c48\u003e 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10\n    RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015\n    RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77\n    R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580\n    RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001\n    \u003c/TASK\u003e\n    R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0\n\n    Allocated by task 45:\n        kasan_save_stack+0x1e/0x40\n        __kasan_kmalloc+0x81/0xa0\n        hci_chan_create+0x9a/0x2f0\n        l2cap_conn_add.part.0+0x1a/0xdc0\n        l2cap_connect_cfm+0x236/0x1000\n        le_conn_complete_evt+0x15a7/0x1db0\n        hci_le_conn_complete_evt+0x226/0x2c0\n        hci_le_meta_evt+0x247/0x450\n        hci_event_packet+0x61b/0xe90\n        hci_rx_work+0x4d5/0xc50\n        process_one_work+0x8fb/0x15a0\n        worker_thread+0x576/0x1240\n        kthread+0x29d/0x340\n        ret_from_fork+0x1f/0x30\n\n    Freed by task 45:\n        kasan_save_stack+0x1e/0x40\n        kasan_set_track+0x21/0x30\n        kasan_set_free_info+0x20/0x30\n        __kasan_slab_free+0xfb/0x130\n        kfree+0xac/0x350\n        hci_conn_cleanup+0x101/0x6a0\n        hci_conn_del+0x27e/0x6c0\n        hci_disconn_phylink_complete_evt+0xe0/0x120\n        hci_event_packet+0x812/0xe90\n        hci_rx_work+0x4d5/0xc50\n        process_one_work+0x8fb/0x15a0\n        worker_thread+0x576/0x1240\n        kthread+0x29d/0x340\n        ret_from_fork+0x1f/0x30\n\n    The buggy address belongs to the object at ffff88800c0f0500\n    The buggy address is located 24 bytes inside of\n    which belongs to the cache kmalloc-128 of size 128\n    The buggy address belongs to the page:\n    128-byte region [ffff88800c0f0500, ffff88800c0f0580)\n    flags: 0x100000000000200(slab|node=0|zone=1)\n    page:00000000fe45cd86 refcount:1 mapcount:0\n    mapping:0000000000000000 index:0x0 pfn:0xc0f0\n    raw: 0000000000000000 0000000080100010 00000001ffffffff\n    0000000000000000\n    raw: 0100000000000200 ffffea00003a2c80 dead000000000004\n    ffff8880078418c0\n    page dumped because: kasan: bad access detected\n    ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc\n    Memory state around the buggy address:\n    \u003effff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n    ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n    ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n                   \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:21:59.365Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c41de54b0a963e59e4dd04c029a4a6d73f45ef9c"
        },
        {
          "url": "https://git.kernel.org/stable/c/643a6c26bd32e339d00ad97b8822b6db009e803c"
        },
        {
          "url": "https://git.kernel.org/stable/c/684e505406abaeabe0058e9776f9210bf2747953"
        },
        {
          "url": "https://git.kernel.org/stable/c/3803d896ddd97c7c16689a5381c0960040727647"
        },
        {
          "url": "https://git.kernel.org/stable/c/2cc803804ec9a296b3156855d6c8c4ca1c6b84be"
        },
        {
          "url": "https://git.kernel.org/stable/c/d404765dffdbd8dcd14758695d0c96c52fb2e624"
        },
        {
          "url": "https://git.kernel.org/stable/c/4da302b90b96c309987eb9b37c8547f939f042d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3c2ea1fd444b3bb7b82bfd2c3a45418f85c2502"
        },
        {
          "url": "https://git.kernel.org/stable/c/f63d24baff787e13b723d86fe036f84bdbc35045"
        }
      ],
      "title": "Bluetooth: Fix use after free in hci_send_acl",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49111",
    "datePublished": "2025-02-26T01:54:56.622Z",
    "dateReserved": "2025-02-26T01:49:39.261Z",
    "dateUpdated": "2025-12-23T13:21:59.365Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-49111\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-27T18:17:22.265818Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-27T18:17:23.563Z\"}}], \"cna\": {\"title\": \"Bluetooth: Fix use after free in hci_send_acl\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6\", \"lessThan\": \"c41de54b0a963e59e4dd04c029a4a6d73f45ef9c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6\", \"lessThan\": \"643a6c26bd32e339d00ad97b8822b6db009e803c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6\", \"lessThan\": \"684e505406abaeabe0058e9776f9210bf2747953\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6\", \"lessThan\": \"3803d896ddd97c7c16689a5381c0960040727647\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6\", \"lessThan\": \"2cc803804ec9a296b3156855d6c8c4ca1c6b84be\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6\", \"lessThan\": \"d404765dffdbd8dcd14758695d0c96c52fb2e624\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6\", \"lessThan\": \"4da302b90b96c309987eb9b37c8547f939f042d2\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6\", \"lessThan\": \"b3c2ea1fd444b3bb7b82bfd2c3a45418f85c2502\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9eef6b3a9e38d5f8ad315b2a7db153392e6a77d6\", \"lessThan\": \"f63d24baff787e13b723d86fe036f84bdbc35045\", \"versionType\": \"git\"}], \"programFiles\": [\"net/bluetooth/hci_event.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.8\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"3.8\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.9.311\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.9.*\"}, {\"status\": \"unaffected\", \"version\": \"4.14.276\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.14.*\"}, {\"status\": \"unaffected\", \"version\": \"4.19.238\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.189\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.111\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.34\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"5.16.20\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.16.*\"}, {\"status\": \"unaffected\", \"version\": \"5.17.3\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.17.*\"}, {\"status\": \"unaffected\", \"version\": \"5.18\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/bluetooth/hci_event.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/c41de54b0a963e59e4dd04c029a4a6d73f45ef9c\"}, {\"url\": \"https://git.kernel.org/stable/c/643a6c26bd32e339d00ad97b8822b6db009e803c\"}, {\"url\": \"https://git.kernel.org/stable/c/684e505406abaeabe0058e9776f9210bf2747953\"}, {\"url\": \"https://git.kernel.org/stable/c/3803d896ddd97c7c16689a5381c0960040727647\"}, {\"url\": \"https://git.kernel.org/stable/c/2cc803804ec9a296b3156855d6c8c4ca1c6b84be\"}, {\"url\": \"https://git.kernel.org/stable/c/d404765dffdbd8dcd14758695d0c96c52fb2e624\"}, {\"url\": \"https://git.kernel.org/stable/c/4da302b90b96c309987eb9b37c8547f939f042d2\"}, {\"url\": \"https://git.kernel.org/stable/c/b3c2ea1fd444b3bb7b82bfd2c3a45418f85c2502\"}, {\"url\": \"https://git.kernel.org/stable/c/f63d24baff787e13b723d86fe036f84bdbc35045\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: Fix use after free in hci_send_acl\\n\\nThis fixes the following trace caused by receiving\\nHCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without\\nfirst checking if conn-\u003etype is in fact AMP_LINK and in case it is\\ndo properly cleanup upper layers with hci_disconn_cfm:\\n\\n ==================================================================\\n    BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50\\n    Read of size 8 at addr ffff88800e404818 by task bluetoothd/142\\n\\n    CPU: 0 PID: 142 Comm: bluetoothd Not tainted\\n    5.17.0-rc5-00006-gda4022eeac1a #7\\n    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\\n    rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\\n    Call Trace:\\n     \u003cTASK\u003e\\n     dump_stack_lvl+0x45/0x59\\n     print_address_description.constprop.0+0x1f/0x150\\n     kasan_report.cold+0x7f/0x11b\\n     hci_send_acl+0xaba/0xc50\\n     l2cap_do_send+0x23f/0x3d0\\n     l2cap_chan_send+0xc06/0x2cc0\\n     l2cap_sock_sendmsg+0x201/0x2b0\\n     sock_sendmsg+0xdc/0x110\\n     sock_write_iter+0x20f/0x370\\n     do_iter_readv_writev+0x343/0x690\\n     do_iter_write+0x132/0x640\\n     vfs_writev+0x198/0x570\\n     do_writev+0x202/0x280\\n     do_syscall_64+0x38/0x90\\n     entry_SYSCALL_64_after_hwframe+0x44/0xae\\n    RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014\\n    Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3\\n    0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05\\n    \u003c48\u003e 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10\\n    RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015\\n    RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77\\n    R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580\\n    RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001\\n    \u003c/TASK\u003e\\n    R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0\\n\\n    Allocated by task 45:\\n        kasan_save_stack+0x1e/0x40\\n        __kasan_kmalloc+0x81/0xa0\\n        hci_chan_create+0x9a/0x2f0\\n        l2cap_conn_add.part.0+0x1a/0xdc0\\n        l2cap_connect_cfm+0x236/0x1000\\n        le_conn_complete_evt+0x15a7/0x1db0\\n        hci_le_conn_complete_evt+0x226/0x2c0\\n        hci_le_meta_evt+0x247/0x450\\n        hci_event_packet+0x61b/0xe90\\n        hci_rx_work+0x4d5/0xc50\\n        process_one_work+0x8fb/0x15a0\\n        worker_thread+0x576/0x1240\\n        kthread+0x29d/0x340\\n        ret_from_fork+0x1f/0x30\\n\\n    Freed by task 45:\\n        kasan_save_stack+0x1e/0x40\\n        kasan_set_track+0x21/0x30\\n        kasan_set_free_info+0x20/0x30\\n        __kasan_slab_free+0xfb/0x130\\n        kfree+0xac/0x350\\n        hci_conn_cleanup+0x101/0x6a0\\n        hci_conn_del+0x27e/0x6c0\\n        hci_disconn_phylink_complete_evt+0xe0/0x120\\n        hci_event_packet+0x812/0xe90\\n        hci_rx_work+0x4d5/0xc50\\n        process_one_work+0x8fb/0x15a0\\n        worker_thread+0x576/0x1240\\n        kthread+0x29d/0x340\\n        ret_from_fork+0x1f/0x30\\n\\n    The buggy address belongs to the object at ffff88800c0f0500\\n    The buggy address is located 24 bytes inside of\\n    which belongs to the cache kmalloc-128 of size 128\\n    The buggy address belongs to the page:\\n    128-byte region [ffff88800c0f0500, ffff88800c0f0580)\\n    flags: 0x100000000000200(slab|node=0|zone=1)\\n    page:00000000fe45cd86 refcount:1 mapcount:0\\n    mapping:0000000000000000 index:0x0 pfn:0xc0f0\\n    raw: 0000000000000000 0000000080100010 00000001ffffffff\\n    0000000000000000\\n    raw: 0100000000000200 ffffea00003a2c80 dead000000000004\\n    ffff8880078418c0\\n    page dumped because: kasan: bad access detected\\n    ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc\\n    Memory state around the buggy address:\\n    \u003effff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\\n    ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\\n    ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\\n                   \\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.9.311\", \"versionStartIncluding\": \"3.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.14.276\", \"versionStartIncluding\": \"3.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.238\", \"versionStartIncluding\": \"3.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.189\", \"versionStartIncluding\": \"3.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.111\", \"versionStartIncluding\": \"3.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.34\", \"versionStartIncluding\": \"3.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.16.20\", \"versionStartIncluding\": \"3.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.17.3\", \"versionStartIncluding\": \"3.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.18\", \"versionStartIncluding\": \"3.8\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-12-23T13:21:59.365Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-49111\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-23T13:21:59.365Z\", \"dateReserved\": \"2025-02-26T01:49:39.261Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-02-26T01:54:56.622Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.