Bug 2147364 (CVE-2022-42896) - CVE-2022-42896 kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c
Summary: CVE-2022-42896 kernel: use-after-free in l2cap_connect and l2cap_le_connect_r...
Keywords:
Status: NEW
Alias: CVE-2022-42896
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2148404 2148405 2176645 2176646 2176648 2176653 2176654 2176655 2176656 2176663 2176664 2176666 2176669 2176671 2176672 2176673 2176674 2176676 2148401 2148402 2148403 2176640 2176641 2176643 2176644 2176647 2176649 2176650 2176651 2176657 2176659 2176660 2176661 2176662 2176665 2176667 2176668 2176675 2176677 2176678 2176679 2213242 2213243 2213244
Blocks: 2142956
TreeView+ depends on / blocked
 
Reported: 2022-11-23 19:24 UTC by Pedro Sampaio
Modified: 2023-08-08 08:20 UTC (History)
39 users (show)

Fixed In Version: kernel 6.1-rc4
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel's implementation of logical link control and adaptation protocol (L2CAP), part of the Bluetooth stack in the l2cap_connect and l2cap_le_connect_req functions. An attacker with physical access within the range of standard Bluetooth transmission could execute code leaking kernel memory via Bluetooth if within proximity of the victim.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:2148 0 None None None 2023-05-09 07:12:26 UTC
Red Hat Product Errata RHSA-2023:2458 0 None None None 2023-05-09 07:50:58 UTC
Red Hat Product Errata RHSA-2023:3461 0 None None None 2023-06-06 08:49:03 UTC
Red Hat Product Errata RHSA-2023:3462 0 None None None 2023-06-06 08:46:44 UTC
Red Hat Product Errata RHSA-2023:3517 0 None None None 2023-06-06 16:26:48 UTC
Red Hat Product Errata RHSA-2023:4137 0 None None None 2023-07-18 08:28:40 UTC
Red Hat Product Errata RHSA-2023:4138 0 None None None 2023-07-18 08:28:50 UTC
Red Hat Product Errata RHSA-2023:4230 0 None None None 2023-07-20 07:32:29 UTC
Red Hat Product Errata RHSA-2023:4517 0 None None None 2023-08-08 08:19:50 UTC
Red Hat Product Errata RHSA-2023:4531 0 None None None 2023-08-08 08:20:02 UTC
Red Hat Product Errata RHSA-2023:4541 0 None None None 2023-08-08 07:54:18 UTC

Description Pedro Sampaio 2022-11-23 19:24:35 UTC 
There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim.

References:

https://github.com/google/security-research/security/advisories/GHSA-pf87-6c9q-jvm4
https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4
https://github.com/torvalds/linux/commit/f937b758a188d6fd328a81367087eddbb2fce50f
Comment 1 Mauro Matteo Cascella 2022-11-25 11:14:31 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2148401]
Comment 3 Justin M. Forbes 2022-11-30 21:16:15 UTC 
This was fixed for Fedora with the 6.0.8 stable kernel updates.
Comment 16 errata-xmlrpc 2023-05-09 07:12:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2148 https://access.redhat.com/errata/RHSA-2023:2148
Comment 17 errata-xmlrpc 2023-05-09 07:50:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2458 https://access.redhat.com/errata/RHSA-2023:2458
Comment 18 errata-xmlrpc 2023-06-06 08:46:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2023:3462 https://access.redhat.com/errata/RHSA-2023:3462
Comment 19 errata-xmlrpc 2023-06-06 08:49:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:3461 https://access.redhat.com/errata/RHSA-2023:3461
Comment 20 errata-xmlrpc 2023-06-06 16:26:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2023:3517 https://access.redhat.com/errata/RHSA-2023:3517
Comment 23 errata-xmlrpc 2023-07-18 08:28:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4137 https://access.redhat.com/errata/RHSA-2023:4137
Comment 24 errata-xmlrpc 2023-07-18 08:28:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4138 https://access.redhat.com/errata/RHSA-2023:4138
Comment 25 errata-xmlrpc 2023-07-20 07:32:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4230 https://access.redhat.com/errata/RHSA-2023:4230
Comment 26 errata-xmlrpc 2023-08-08 07:54:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4541 https://access.redhat.com/errata/RHSA-2023:4541
Comment 27 errata-xmlrpc 2023-08-08 08:19:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4517 https://access.redhat.com/errata/RHSA-2023:4517
Comment 28 errata-xmlrpc 2023-08-08 08:19:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4531 https://access.redhat.com/errata/RHSA-2023:4531
Note You need to log in before you can comment on or make changes to this bug.