Yuxuan Hu

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a null-ptr-deref error in the rfcomm check security function. This error occurs when the host sends a `Read Encryption Key Size` type of `HCI CMD` packet to the controller and the controller's response is delayed to an unexpected point, after the RFCOMM and L2CAP layers have disconnected but before the HCI layer has disconnected. As a result, when the function `rfcomm check security` is called, it attempts to access `conn->hcon`, which has already been released, leading to a null-ptr-deref error. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited. **Recommendations** To fix this bug, check if `sk->sk state` is BT CLOSED before calling rfcomm recv frame in rfcomm process rx. As a temporary workaround, consider disabling the `rfcomm check security` function until a patch is available. Restrict access to the vulnerable `rfcomm` module to minimize the risk of exploitation. Avoid using the `hci conn security` function in the affected code path until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.