Bug 2150999 (CVE-2022-3564) - CVE-2022-3564 kernel: use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c
Summary: CVE-2022-3564 kernel: use-after-free caused by l2cap_reassemble_sdu() in net/...
Keywords:
Status: NEW
Alias: CVE-2022-3564
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2151000 2152920 2152921 2152922 2152923 2152924 2152925 2152926 2152927 2152928 2152929 2152931 2152932 2152933 2152934 2152935 2152936 2152937 2152938 2152939 2152940 2152941 2152942 2152943 2152944 2153000 2153001 2153002 2153003 2153004 2153005 2153006 2153007 2160012 2165310 2210946
Blocks: 2150891
TreeView+ depends on / blocked
 
Reported: 2022-12-05 19:53 UTC by Guilherme de Almeida Suckevicz
Modified: 2024-02-07 13:10 UTC (History)
44 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel’s L2CAP bluetooth functionality in how a user triggers a race condition by two malicious flows in the L2CAP bluetooth packets. This flaw allows a local or bluetooth connection user to crash the system or potentially escalate privileges.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:1050 0 None None None 2023-03-02 05:37:44 UTC
Red Hat Product Errata RHBA-2023:1629 0 None None None 2023-04-04 15:16:24 UTC
Red Hat Product Errata RHBA-2023:4244 0 None None None 2023-07-24 07:40:21 UTC
Red Hat Product Errata RHSA-2023:0856 0 None None None 2023-02-21 10:03:02 UTC
Red Hat Product Errata RHSA-2023:0858 0 None None None 2023-02-21 10:03:32 UTC
Red Hat Product Errata RHSA-2023:0951 0 None None None 2023-02-28 08:18:42 UTC
Red Hat Product Errata RHSA-2023:0979 0 None None None 2023-02-28 09:51:12 UTC
Red Hat Product Errata RHSA-2023:1008 0 None None None 2023-02-28 11:42:39 UTC
Red Hat Product Errata RHSA-2023:1202 0 None None None 2023-03-14 13:53:44 UTC
Red Hat Product Errata RHSA-2023:1203 0 None None None 2023-03-14 13:54:05 UTC
Red Hat Product Errata RHSA-2023:1220 0 None None None 2023-03-14 13:58:15 UTC
Red Hat Product Errata RHSA-2023:1221 0 None None None 2023-03-14 13:58:44 UTC
Red Hat Product Errata RHSA-2023:1251 0 None None None 2023-03-15 09:49:24 UTC
Red Hat Product Errata RHSA-2023:1435 0 None None None 2023-03-23 09:03:36 UTC
Red Hat Product Errata RHSA-2023:1559 0 None None None 2023-04-04 06:55:33 UTC
Red Hat Product Errata RHSA-2023:1560 0 None None None 2023-04-04 06:54:52 UTC
Red Hat Product Errata RHSA-2023:1666 0 None None None 2023-04-05 16:16:38 UTC
Red Hat Product Errata RHSA-2023:2736 0 None None None 2023-05-16 08:05:57 UTC
Red Hat Product Errata RHSA-2023:2951 0 None None None 2023-05-16 08:34:43 UTC
Red Hat Product Errata RHSA-2023:3277 0 None None None 2023-05-23 14:00:45 UTC
Red Hat Product Errata RHSA-2023:3278 0 None None None 2023-05-23 14:00:56 UTC
Red Hat Product Errata RHSA-2023:3388 0 None None None 2023-05-31 15:50:50 UTC
Red Hat Product Errata RHSA-2023:3431 0 None None None 2023-06-05 08:14:30 UTC
Red Hat Product Errata RHSA-2023:3491 0 None None None 2023-06-06 14:11:51 UTC
Red Hat Product Errata RHSA-2023:4020 0 None None None 2023-07-11 07:47:51 UTC
Red Hat Product Errata RHSA-2023:4021 0 None None None 2023-07-11 07:50:34 UTC
Red Hat Product Errata RHSA-2023:4150 0 None None None 2023-07-18 08:25:19 UTC
Red Hat Product Errata RHSA-2023:4151 0 None None None 2023-07-18 08:26:49 UTC
Red Hat Product Errata RHSA-2023:4215 0 None None None 2023-07-19 17:26:03 UTC

Description Guilherme de Almeida Suckevicz 2022-12-05 19:53:24 UTC
A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087.

Reference:
https://vuldb.com/?id.211087

Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=89f9f3cb86b1c63badaf392a83dd661d56cc50b1

Comment 1 Guilherme de Almeida Suckevicz 2022-12-05 19:53:46 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2151000]

Comment 2 Justin M. Forbes 2022-12-08 15:53:33 UTC
This was fixed for Fedora with the 6.0.8 stable kernel updates.

Comment 15 errata-xmlrpc 2023-02-21 10:02:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:0856 https://access.redhat.com/errata/RHSA-2023:0856

Comment 16 errata-xmlrpc 2023-02-21 10:03:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:0858 https://access.redhat.com/errata/RHSA-2023:0858

Comment 17 errata-xmlrpc 2023-02-28 08:18:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0951 https://access.redhat.com/errata/RHSA-2023:0951

Comment 18 errata-xmlrpc 2023-02-28 09:51:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0979 https://access.redhat.com/errata/RHSA-2023:0979

Comment 19 errata-xmlrpc 2023-02-28 11:42:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1008 https://access.redhat.com/errata/RHSA-2023:1008

Comment 20 errata-xmlrpc 2023-03-14 13:53:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1202 https://access.redhat.com/errata/RHSA-2023:1202

Comment 21 errata-xmlrpc 2023-03-14 13:54:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1203 https://access.redhat.com/errata/RHSA-2023:1203

Comment 22 errata-xmlrpc 2023-03-14 13:58:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1220 https://access.redhat.com/errata/RHSA-2023:1220

Comment 23 errata-xmlrpc 2023-03-14 13:58:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1221 https://access.redhat.com/errata/RHSA-2023:1221

Comment 24 errata-xmlrpc 2023-03-15 09:49:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1251 https://access.redhat.com/errata/RHSA-2023:1251

Comment 25 errata-xmlrpc 2023-03-23 09:03:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1435 https://access.redhat.com/errata/RHSA-2023:1435

Comment 28 errata-xmlrpc 2023-04-04 06:54:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1560 https://access.redhat.com/errata/RHSA-2023:1560

Comment 29 errata-xmlrpc 2023-04-04 06:55:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1559 https://access.redhat.com/errata/RHSA-2023:1559

Comment 30 errata-xmlrpc 2023-04-05 16:16:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2023:1666 https://access.redhat.com/errata/RHSA-2023:1666

Comment 31 errata-xmlrpc 2023-05-16 08:05:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2736 https://access.redhat.com/errata/RHSA-2023:2736

Comment 32 errata-xmlrpc 2023-05-16 08:34:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2951 https://access.redhat.com/errata/RHSA-2023:2951

Comment 33 errata-xmlrpc 2023-05-23 14:00:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2023:3277 https://access.redhat.com/errata/RHSA-2023:3277

Comment 34 errata-xmlrpc 2023-05-23 14:00:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2023:3278 https://access.redhat.com/errata/RHSA-2023:3278

Comment 35 errata-xmlrpc 2023-05-31 15:50:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:3388 https://access.redhat.com/errata/RHSA-2023:3388

Comment 36 errata-xmlrpc 2023-06-05 08:14:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:3431 https://access.redhat.com/errata/RHSA-2023:3431

Comment 37 errata-xmlrpc 2023-06-06 14:11:47 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2023:3491 https://access.redhat.com/errata/RHSA-2023:3491

Comment 41 errata-xmlrpc 2023-07-11 07:47:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2023:4020 https://access.redhat.com/errata/RHSA-2023:4020

Comment 42 errata-xmlrpc 2023-07-11 07:50:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support

Via RHSA-2023:4021 https://access.redhat.com/errata/RHSA-2023:4021

Comment 43 errata-xmlrpc 2023-07-18 08:25:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:4150 https://access.redhat.com/errata/RHSA-2023:4150

Comment 44 errata-xmlrpc 2023-07-18 08:26:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:4151 https://access.redhat.com/errata/RHSA-2023:4151

Comment 45 errata-xmlrpc 2023-07-19 17:26:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:4215 https://access.redhat.com/errata/RHSA-2023:4215


Note You need to log in before you can comment on or make changes to this bug.