CVE-2024-26903

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The issue is related to a null-ptr-deref error in the rfcomm check security function. This error occurs when the host sends a Read Encryption Key Size type of HCI CMD packet to the controller and the controller's response is delayed to an unexpected point, after the RFCOMM and L2CAP layers have disconnected but before the HCI layer has disconnected. As a result, when the function rfcomm check security is called, it attempts to access conn->hcon, which has already been released, leading to a null-ptr-deref error. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited.

Recommendations To fix this bug, check if sk->sk state is BT CLOSED before calling rfcomm recv frame in rfcomm process rx. As a temporary workaround, consider disabling the rfcomm check security function until a patch is available. Restrict access to the vulnerable rfcomm module to minimize the risk of exploitation. Avoid using the hci conn security function in the affected code path until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.