Bug 2147364 (CVE-2022-42896) - CVE-2022-42896 kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c
Summary: CVE-2022-42896 kernel: use-after-free in l2cap_connect and l2cap_le_connect_r...
Keywords:
Status: NEW
Alias: CVE-2022-42896
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Red Hat2148404 Red Hat2148405 Red Hat2176640 Red Hat2176645 Red Hat2176646 Red Hat2176647 Red Hat2176648 Red Hat2176650 Red Hat2176651 Red Hat2176653 Red Hat2176654 Red Hat2176655 Red Hat2176656 Red Hat2176657 Red Hat2176659 Red Hat2176663 Red Hat2176664 Red Hat2176665 Red Hat2176666 Red Hat2176668 Red Hat2176669 Red Hat2176671 Red Hat2176672 Red Hat2176673 Red Hat2176674 Red Hat2176675 Red Hat2176676 Red Hat2176678 2148401 Red Hat2148402 Red Hat2148403 Red Hat2176641 Red Hat2176643 Red Hat2176644 Red Hat2176649 Red Hat2176660 Red Hat2176661 Red Hat2176662 Red Hat2176667 Red Hat2176677 Red Hat2176679
Blocks: Embargoed2142956
TreeView+ depends on / blocked
 
Reported: 2022-11-23 19:24 UTC by Pedro Sampaio
Modified: 2023-05-09 07:50 UTC (History)
39 users (show)

Fixed In Version: kernel 6.1-rc4
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel's implementation of logical link control and adaptation protocol (L2CAP), part of the Bluetooth stack in the l2cap_connect and l2cap_le_connect_req functions. An attacker with physical access within the range of standard Bluetooth transmission could execute code leaking kernel memory via Bluetooth if within proximity of the victim.
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:2148 0 None None None 2023-05-09 07:12:26 UTC
Red Hat Product Errata RHSA-2023:2458 0 None None None 2023-05-09 07:50:58 UTC

Description Pedro Sampaio 2022-11-23 19:24:35 UTC 
There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim.

References:

https://github.com/google/security-research/security/advisories/GHSA-pf87-6c9q-jvm4
https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4
https://github.com/torvalds/linux/commit/f937b758a188d6fd328a81367087eddbb2fce50f
Comment 1 Mauro Matteo Cascella 2022-11-25 11:14:31 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2148401]
Comment 3 Justin M. Forbes 2022-11-30 21:16:15 UTC 
This was fixed for Fedora with the 6.0.8 stable kernel updates.
Comment 16 errata-xmlrpc 2023-05-09 07:12:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2148 https://access.redhat.com/errata/RHSA-2023:2148
Comment 17 errata-xmlrpc 2023-05-09 07:50:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2458 https://access.redhat.com/errata/RHSA-2023:2458
Note You need to log in before you can comment on or make changes to this bug.