PT-2025-18626 · Linux+3 · Linux Kernel+3

Published

2025-05-01

·

Updated

2025-08-18

·

CVE-2022-49909

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description A use-after-free issue has been identified in the Linux kernel's Bluetooth L2CAP implementation. This occurs when the l2cap recv frame() function is invoked to receive data, and the channel does not exist, causing a new channel to be created. However, the channel's reference count is not properly managed, leading to a situation where the channel is freed prematurely. This can result in a use-after-free error when the l2cap chan unlock() function is called. The issue is triggered by the hci error reset() function, which invokes the l2cap conn del() function to release the channel.
Technical details about exploitation include:
  • The l2cap recv frame() function is used to receive data.
  • The a2mp channel create() function is used to create a new channel.
  • The l2cap chan put() function is used to decrement the channel's reference count.
  • The hci error reset() function triggers the l2cap conn del() function to release the channel.
  • The l2cap chan unlock() function is used to unlock the channel, which can lead to a use-after-free error.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

CVE-2022-49909
LSN-0114-1
SUSE-SU-2025:01918-1
SUSE-SU-2025:01966-1
SUSE-SU-2025:01983-1
SUSE-SU-2025:02173-1
SUSE-SU-2025:02262-1
SUSE-SU-2025:2173-1
SUSE-SU-2025_01983-1
SUSE-SU-2025_02173-1
SUSE-SU-2025_02262-1
USN-7607-1
USN-7607-2
USN-7607-3

Affected Products

Astra Linux
Linux Kernel
Suse
Ubuntu