A NULL pointer dereference flaw may be seen if sco_sock_getsockopt function in net/bluetooth/sco.c do not have a sanity check for a socket connection, When using BT_SNDMTU/BT_RCVMTU for SCO sockets. This could allow a local attacker with a special user privilege to crash the system (DOS) or leak kernel internal information.
A missing check for connected socket will cause a crash due to sco_pi(sk)->conn being NULL.
There was no shipped kernel version were seen affected with this problem.
Mitigation for this issue is not available with the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):