Описание
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix user-after-free This uses l2cap_chan_hold_unless_zero() after calling __l2cap_get_chan_blah() to prevent the following trace: Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref *kref) Bluetooth: chan 0000000023c4974d Bluetooth: parent 00000000ae861c08
BUG: KASAN: use-after-free in __mutex_waiter_is_first kernel/locking/mutex.c:191 [inline] BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:671 [inline] BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400 kernel/locking/mutex.c:729 Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389
Отчет
A use-after-free in the Bluetooth L2CAP subsystem could occur when handling channel responses in l2cap_connect_create_rsp(), due to missing reference checks. This condition can be triggered during race conditions between channel creation and teardown, leading to kernel crashes. Exploitation is most practical as a local or adjacent denial of service over Bluetooth. L2CAP underpins many Bluetooth profiles and services (BLE ATT/GATT, RFCOMM, A2DP/AVRCP, HID, PAN, SDP, OBEX, etc.). Any profile that creates logical L2CAP channels may be involved. Common real-world triggers include BLE GATT interactions, audio profiles, HID devices, and tethering/PAN connections. An attacker within radio range can attempt to repeatedly open/close or otherwise race L2CAP channels to increase likelihood of the race (fast connect/disconnect storms or parallel requests). Most realistic impact is a local/adjacent attacker (in Bluetooth radio range) who can actively interact with the target Bluetooth stack. The CIA=HHH for CVSS is a conservative/precautionary assessment. In practical terms, successful privilege escalation or remote compromise is unlikely but theoretically possible: to do so an attacker would need to craft a sequence that causes controlled memory corruption and further exploit kernel memory layout — substantially harder than causing a crash.
Меры по смягчению последствий
To mitigate these vulnerabilities on the operating system level, disable the Bluetooth functionality via blocklisting kernel modules in the Linux kernel. The kernel modules can be prevented from being loaded by using system-wide modprobe rules. Instructions on how to disable Bluetooth modules are available on the customer portal at https://access.redhat.com/solutions/2682931. Alternatively, bluetooth can be disabled within the hardware or at the BIOS level, which will also provide effective mitigation as the kernel will not detect Bluetooth hardware on the system.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | kernel | Not affected | ||
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel | Affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | kernel-rt | Fixed | RHSA-2025:22914 | 09.12.2025 |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | kernel | Fixed | RHSA-2025:22910 | 09.12.2025 |
| Red Hat Enterprise Linux 8 | kernel-rt | Fixed | RHSA-2025:19103 | 27.10.2025 |
| Red Hat Enterprise Linux 8 | kernel | Fixed | RHSA-2025:19102 | 27.10.2025 |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | kernel | Fixed | RHSA-2025:23445 | 17.12.2025 |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | kernel | Fixed | RHSA-2025:22752 | 04.12.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.6 High
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix user-after-free This uses l2cap_chan_hold_unless_zero() after calling __l2cap_get_chan_blah() to prevent the following trace: Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref *kref) Bluetooth: chan 0000000023c4974d Bluetooth: parent 00000000ae861c08 ================================================================== BUG: KASAN: use-after-free in __mutex_waiter_is_first kernel/locking/mutex.c:191 [inline] BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:671 [inline] BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400 kernel/locking/mutex.c:729 Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix user-after-free This uses l2cap_chan_hold_unless_zero() after calling __l2cap_get_chan_blah() to prevent the following trace: Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref *kref) Bluetooth: chan 0000000023c4974d Bluetooth: parent 00000000ae861c08 ================================================================== BUG: KASAN: use-after-free in __mutex_waiter_is_first kernel/locking/mutex.c:191 [inline] BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:671 [inline] BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400 kernel/locking/mutex.c:729 Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389
In the Linux kernel, the following vulnerability has been resolved: B ...
Security update for the Linux Kernel (Live Patch 72 for SLE 12 SP5)
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix user-after-free This uses l2cap_chan_hold_unless_zero() after calling __l2cap_get_chan_blah() to prevent the following trace: Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref *kref) Bluetooth: chan 0000000023c4974d Bluetooth: parent 00000000ae861c08 ================================================================== BUG: KASAN: use-after-free in __mutex_waiter_is_first kernel/locking/mutex.c:191 [inline] BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:671 [inline] BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400 kernel/locking/mutex.c:729 Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389
EPSS
7.6 High
CVSS3