Bug 2348082 (CVE-2022-49474)
| Summary: | CVE-2022-49474 kernel: Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | dfreiber, drow, jburrell, vkumar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was discovered in the Linux kernel’s Bluetooth subsystem, SCO sockets. When calling sco_sock_connect() and connecting the same socket twice in quick succession, two sco_conn objects may be created, but only one gets associated with the socket. If the socket is closed before the SCO connection is fully established, the timer linked to the dangling sco_conn is not canceled. This results in a use-after-free issue in sco_sock_timeout(), where the kernel attempts to access the freed socket. A local, unprivileged user may exploit this flaw to trigger kernel memory corruption, resulting in system instability or a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2025-02-26 03:16:59 UTC
|