PT-2025-18626 · Linux+3 · Linux Kernel+3

Publicado

2025-05-01

·

Atualizado

2025-08-18

·

CVE-2022-49909

CVSS v3.1

7.8

Alta

VetorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description A use-after-free issue has been identified in the Linux kernel's Bluetooth L2CAP implementation. This occurs when the l2cap recv frame() function is invoked to receive data, and the channel does not exist, causing a new channel to be created. However, the channel's reference count is not properly managed, leading to a situation where the channel is freed prematurely. This can result in a use-after-free error when the l2cap chan unlock() function is called. The issue is triggered by the hci error reset() function, which invokes the l2cap conn del() function to release the channel.
Technical details about exploitation include:
  • The l2cap recv frame() function is used to receive data.
  • The a2mp channel create() function is used to create a new channel.
  • The l2cap chan put() function is used to decrement the channel's reference count.
  • The hci error reset() function triggers the l2cap conn del() function to release the channel.
  • The l2cap chan unlock() function is used to unlock the channel, which can lead to a use-after-free error.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Use After Free

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-416

Identificadores relacionados

CVE-2022-49909
LSN-0114-1
SUSE-SU-2025:01918-1
SUSE-SU-2025:01966-1
SUSE-SU-2025:01983-1
SUSE-SU-2025:02173-1
SUSE-SU-2025:02262-1
SUSE-SU-2025:2173-1
SUSE-SU-2025_01983-1
SUSE-SU-2025_02173-1
SUSE-SU-2025_02262-1
USN-7607-1
USN-7607-2
USN-7607-3

Produtos afetados

Astra Linux
Linux Kernel
Suse
Ubuntu