2147364 – (CVE-2022-42896) CVE-2022-42896 kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c

Bug 2147364 (CVE-2022-42896) - CVE-2022-42896 kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c

Summary: CVE-2022-42896 kernel: use-after-free in l2cap_connect and l2cap_le_connect_r...

Keywords:
Status:	NEW
Alias:	CVE-2022-42896
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2148402 2148403 2148404 2148405 2176640 2176643 2176644 2176645 2176646 2176647 2176648 2176650 2176651 2176653 2176654 2176655 2176656 2176657 2176659 2176661 2176662 2176663 2176664 2176665 2176666 2176668 2176669 2176671 2176672 2176673 2176674 2176675 2176676 2176678 2148401 2176641 2176649 2176660 2176667 2176677 2176679
Blocks:	2142956
TreeView+	depends on / blocked

Reported:	2022-11-23 19:24 UTC by Pedro Sampaio
Modified:	2023-03-08 22:14 UTC (History)
CC List:	40 users (show)
Fixed In Version:	kernel 6.1-rc4
Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free flaw was found in the Linux kernel's implementation of logical link control and adaptation protocol (L2CAP), part of the Bluetooth stack in the l2cap_connect and l2cap_le_connect_req functions. An attacker with physical access within the range of standard Bluetooth transmission could execute code leaking kernel memory via Bluetooth if within proximity of the victim.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2022-11-23 19:24:35 UTC

There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim.

References:

https://github.com/google/security-research/security/advisories/GHSA-pf87-6c9q-jvm4
https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4
https://github.com/torvalds/linux/commit/f937b758a188d6fd328a81367087eddbb2fce50f

Comment 1 Mauro Matteo Cascella 2022-11-25 11:14:31 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2148401]

Comment 3 Justin M. Forbes 2022-11-30 21:16:15 UTC

This was fixed for Fedora with the 6.0.8 stable kernel updates.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
allarkin
bhu
chwhite
ddepaula
debarbos
dhoward
dvlasenk
ezulian
hkrzesin
jarod
jburrell
jfaracco
jferlan
jforbes
jlelli
joe.lawrence
jpoimboe
jshortt
jstancek
jwyatt
kcarcia
kernel-mgr
kpatch-maint
lgoncalv
lleshchi
lzampier
mcascell
nmurray
ptalbert
qzhao
rhandlin
rvrbovsk
scweaver
swood
tyberry
vkumar
walters
williams
ycote