Bug 2400804 (CVE-2022-50447) - CVE-2022-50447 kernel: Bluetooth: hci_conn: Fix crash on hci_create_cis_sync
Summary: CVE-2022-50447 kernel: Bluetooth: hci_conn: Fix crash on hci_create_cis_sync
Keywords:
Status: NEW
Alias: CVE-2022-50447
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-10-01 12:08 UTC by OSIDB Bzimport
Modified: 2025-10-06 11:45 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-10-01 12:08:16 UTC 
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_conn: Fix crash on hci_create_cis_sync

When attempting to connect multiple ISO sockets without using
DEFER_SETUP may result in the following crash:

BUG: KASAN: null-ptr-deref in hci_create_cis_sync+0x18b/0x2b0
Read of size 2 at addr 0000000000000036 by task kworker/u3:1/50

CPU: 0 PID: 50 Comm: kworker/u3:1 Not tainted
6.0.0-rc7-02243-gb84a13ff4eda #4373
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
BIOS 1.16.0-1.fc36 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x19/0x27
 kasan_report+0xbc/0xf0
 ? hci_create_cis_sync+0x18b/0x2b0
 hci_create_cis_sync+0x18b/0x2b0
 ? get_link_mode+0xd0/0xd0
 ? __ww_mutex_lock_slowpath+0x10/0x10
 ? mutex_lock+0xe0/0xe0
 ? get_link_mode+0xd0/0xd0
 hci_cmd_sync_work+0x111/0x190
 process_one_work+0x427/0x650
 worker_thread+0x87/0x750
 ? process_one_work+0x650/0x650
 kthread+0x14e/0x180
 ? kthread_exit+0x50/0x50
 ret_from_fork+0x22/0x30
 </TASK>
Comment 1 Jon Moroney 2025-10-01 18:34:29 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025100115-CVE-2022-50447-4de6@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.