Bug 2426229 (CVE-2023-54210) - CVE-2023-54210 kernel: Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor()
Summary: CVE-2023-54210 kernel: Bluetooth: hci_sync: Avoid use-after-free in dbg for h...
Keywords:
Status: NEW
Alias: CVE-2023-54210
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-30 13:17 UTC by OSIDB Bzimport
Modified: 2025-12-30 23:45 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-30 13:17:58 UTC 
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor()

KASAN reports that there's a use-after-free in
hci_remove_adv_monitor(). Trawling through the disassembly, you can
see that the complaint is from the access in bt_dev_dbg() under the
HCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because
msft_remove_monitor() can end up freeing the monitor
structure. Specifically:
  hci_remove_adv_monitor() ->
  msft_remove_monitor() ->
  msft_remove_monitor_sync() ->
  msft_le_cancel_monitor_advertisement_cb() ->
  hci_free_adv_monitor()

Let's fix the problem by just stashing the relevant data when it's
still valid.
Comment 1 Alexander B 2025-12-30 23:40:57 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025123024-CVE-2023-54210-7a73@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.