{
  "threat_severity" : "Moderate",
  "public_date" : "2025-02-26T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Bluetooth: Fix use after free in hci_send_acl",
    "id" : "2347952",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2347952"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: Fix use after free in hci_send_acl\nThis fixes the following trace caused by receiving\nHCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without\nfirst checking if conn->type is in fact AMP_LINK and in case it is\ndo properly cleanup upper layers with hci_disconn_cfm:\n==================================================================\nBUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50\nRead of size 8 at addr ffff88800e404818 by task bluetoothd/142\nCPU: 0 PID: 142 Comm: bluetoothd Not tainted\n5.17.0-rc5-00006-gda4022eeac1a #7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nCall Trace:\n<TASK>\ndump_stack_lvl+0x45/0x59\nprint_address_description.constprop.0+0x1f/0x150\nkasan_report.cold+0x7f/0x11b\nhci_send_acl+0xaba/0xc50\nl2cap_do_send+0x23f/0x3d0\nl2cap_chan_send+0xc06/0x2cc0\nl2cap_sock_sendmsg+0x201/0x2b0\nsock_sendmsg+0xdc/0x110\nsock_write_iter+0x20f/0x370\ndo_iter_readv_writev+0x343/0x690\ndo_iter_write+0x132/0x640\nvfs_writev+0x198/0x570\ndo_writev+0x202/0x280\ndo_syscall_64+0x38/0x90\nentry_SYSCALL_64_after_hwframe+0x44/0xae\nRSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014\nCode: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3\n0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05\n<48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10\nRDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015\nRAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77\nR10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580\nRBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001\n</TASK>\nR13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0\nAllocated by task 45:\nkasan_save_stack+0x1e/0x40\n__kasan_kmalloc+0x81/0xa0\nhci_chan_create+0x9a/0x2f0\nl2cap_conn_add.part.0+0x1a/0xdc0\nl2cap_connect_cfm+0x236/0x1000\nle_conn_complete_evt+0x15a7/0x1db0\nhci_le_conn_complete_evt+0x226/0x2c0\nhci_le_meta_evt+0x247/0x450\nhci_event_packet+0x61b/0xe90\nhci_rx_work+0x4d5/0xc50\nprocess_one_work+0x8fb/0x15a0\nworker_thread+0x576/0x1240\nkthread+0x29d/0x340\nret_from_fork+0x1f/0x30\nFreed by task 45:\nkasan_save_stack+0x1e/0x40\nkasan_set_track+0x21/0x30\nkasan_set_free_info+0x20/0x30\n__kasan_slab_free+0xfb/0x130\nkfree+0xac/0x350\nhci_conn_cleanup+0x101/0x6a0\nhci_conn_del+0x27e/0x6c0\nhci_disconn_phylink_complete_evt+0xe0/0x120\nhci_event_packet+0x812/0xe90\nhci_rx_work+0x4d5/0xc50\nprocess_one_work+0x8fb/0x15a0\nworker_thread+0x576/0x1240\nkthread+0x29d/0x340\nret_from_fork+0x1f/0x30\nThe buggy address belongs to the object at ffff88800c0f0500\nThe buggy address is located 24 bytes inside of\nwhich belongs to the cache kmalloc-128 of size 128\nThe buggy address belongs to the page:\n128-byte region [ffff88800c0f0500, ffff88800c0f0580)\nflags: 0x100000000000200(slab|node=0|zone=1)\npage:00000000fe45cd86 refcount:1 mapcount:0\nmapping:0000000000000000 index:0x0 pfn:0xc0f0\nraw: 0000000000000000 0000000080100010 00000001ffffffff\n0000000000000000\nraw: 0100000000000200 ffffea00003a2c80 dead000000000004\nffff8880078418c0\npage dumped because: kasan: bad access detected\nffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc\nMemory state around the buggy address:\n>ffff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\nffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\nffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n---truncated---", "A vulnerability was found in the Linux kernel's Bluetooth subsystem in the `hci_disconn_phylink_complete_evt()` function. Improper cleanup and reference handling can lead to a connection object, `hcon`, being freed and then later accessed during a subsequent function call. This issue can lead to a use-after-free scenario, leading to system instability, memory corruption, and potential code execution." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-07-09T00:00:00Z",
    "advisory" : "RHSA-2025:10670",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.60.1.rt7.401.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-07-09T00:00:00Z",
    "advisory" : "RHSA-2025:10669",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.60.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2025-07-02T00:00:00Z",
    "advisory" : "RHSA-2025:10179",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.2",
    "package" : "kernel-0:4.18.0-193.156.1.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:10005",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.161.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2025-07-09T00:00:00Z",
    "advisory" : "RHSA-2025:10673",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.151.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2025-07-09T00:00:00Z",
    "advisory" : "RHSA-2025:10673",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.151.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-07-09T00:00:00Z",
    "advisory" : "RHSA-2025:10673",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.151.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2025-07-02T00:00:00Z",
    "advisory" : "RHSA-2025:10211",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.100.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-07-02T00:00:00Z",
    "advisory" : "RHSA-2025:10211",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.100.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2458",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-284.11.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-07-01T00:00:00Z",
    "advisory" : "RHSA-2025:10174",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.136.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-07-02T00:00:00Z",
    "advisory" : "RHSA-2025:10193",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.136.1.rt21.208.el9_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49111\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49111\nhttps://lore.kernel.org/linux-cve-announce/2025022602-CVE-2022-49111-8795@gregkh/T" ],
  "name" : "CVE-2022-49111",
  "csaw" : false
}