{ "threat_severity" : "Moderate", "public_date" : "2025-09-18T00:00:00Z", "bugzilla" : { "description" : "kernel: Bluetooth: L2CAP: Fix user-after-free", "id" : "2396431", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2396431" }, "cvss3" : { "cvss3_base_score" : "7.6", "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: L2CAP: Fix user-after-free\nThis uses l2cap_chan_hold_unless_zero() after calling\n__l2cap_get_chan_blah() to prevent the following trace:\nBluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref\n*kref)\nBluetooth: chan 0000000023c4974d\nBluetooth: parent 00000000ae861c08\n==================================================================\nBUG: KASAN: use-after-free in __mutex_waiter_is_first\nkernel/locking/mutex.c:191 [inline]\nBUG: KASAN: use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:671 [inline]\nBUG: KASAN: use-after-free in __mutex_lock+0x278/0x400\nkernel/locking/mutex.c:729\nRead of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389" ], "statement" : "A use-after-free in the Bluetooth L2CAP subsystem could occur when handling channel responses in l2cap_connect_create_rsp(), due to missing reference checks. This condition can be triggered during race conditions between channel creation and teardown, leading to kernel crashes. Exploitation is most practical as a local or adjacent denial of service over Bluetooth.\nL2CAP underpins many Bluetooth profiles and services (BLE ATT/GATT, RFCOMM, A2DP/AVRCP, HID, PAN, SDP, OBEX, etc.). Any profile that creates logical L2CAP channels may be involved. Common real-world triggers include BLE GATT interactions, audio profiles, HID devices, and tethering/PAN connections.\nAn attacker within radio range can attempt to repeatedly open/close or otherwise race L2CAP channels to increase likelihood of the race (fast connect/disconnect storms or parallel requests).\nMost realistic impact is a local/adjacent attacker (in Bluetooth radio range) who can actively interact with the target Bluetooth stack.\nThe CIA=HHH for CVSS is a conservative/precautionary assessment. In practical terms, successful privilege escalation or remote compromise is unlikely but theoretically possible: to do so an attacker would need to craft a sequence that causes controlled memory corruption and further exploit kernel memory layout — substantially harder than causing a crash.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2025-12-09T00:00:00Z", "advisory" : "RHSA-2025:22914", "cpe" : "cpe:/a:redhat:rhel_extras_rt_els:7", "package" : "kernel-rt-0:3.10.0-1160.143.1.rt56.1295.el7" }, { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2025-12-09T00:00:00Z", "advisory" : "RHSA-2025:22910", "cpe" : "cpe:/o:redhat:rhel_els:7", "package" : "kernel-0:3.10.0-1160.143.1.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-10-27T00:00:00Z", "advisory" : "RHSA-2025:19103", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.81.1.rt7.422.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-10-27T00:00:00Z", "advisory" : "RHSA-2025:19102", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.81.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2025-12-17T00:00:00Z", "advisory" : "RHSA-2025:23445", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "kernel-0:4.18.0-193.178.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-12-04T00:00:00Z", "advisory" : "RHSA-2025:22752", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.179.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2025-12-04T00:00:00Z", "advisory" : "RHSA-2025:22752", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.179.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22006", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.170.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22006", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.170.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22006", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.170.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21083", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.118.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21083", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.118.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21091", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.153.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21136", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.153.1.rt21.225.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22095", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.148.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:22124", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.148.1.rt14.433.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50386\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50386\nhttps://lore.kernel.org/linux-cve-announce/2025091852-CVE-2022-50386-07d7@gregkh/T" ], "name" : "CVE-2022-50386", "mitigation" : { "value" : "To mitigate these vulnerabilities on the operating system level, disable the Bluetooth functionality via blocklisting kernel modules in the Linux kernel. The kernel modules can be prevented from being loaded by using system-wide modprobe rules. Instructions on how to disable Bluetooth modules are available on the customer portal at https://access.redhat.com/solutions/2682931.\nAlternatively, bluetooth can be disabled within the hardware or at the BIOS level, which will also provide effective mitigation as the kernel will not detect Bluetooth hardware on the system.", "lang" : "en:us" }, "csaw" : false }