CVE-2022-49910

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.19.8

Description A use-after-free condition has been identified in the Linux kernel's Bluetooth L2CAP implementation. This issue arises from a race condition between two parallel flows: l2cap reassemble sdu and bt sock recvmsg. The l2cap reassemble sdu function can queue an SKB that is immediately dequeued and freed by the bt sock recvmsg function, leading to a use-after-free condition when accessing the struct l2cap ctrl residing in the SKB's CB. To fix this, a local copy of struct l2cap ctrl is kept.

Recommendations For Linux kernel versions prior to 5.19.8, update to version 5.19.8 or later to resolve the issue. As a temporary workaround, consider disabling the Bluetooth L2CAP functionality until a patch is available. Restrict access to the vulnerable l2cap reassemble sdu function to minimize the risk of exploitation. Avoid using the l2cap sock recvmsg function in conjunction with l2cap reassemble sdu until the issue is resolved.