{ "threat_severity" : "Moderate", "public_date" : "2025-12-30T00:00:00Z", "bugzilla" : { "description" : "kernel: Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works", "id" : "2426258", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426258" }, "cvss3" : { "cvss3_base_score" : "6.6", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-362", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works\nsyzbot is reporting attempt to schedule hdev->cmd_work work from system_wq\nWQ into hdev->workqueue WQ which is under draining operation [1], for\ncommit c8efcc2589464ac7 (\"workqueue: allow chained queueing during\ndestruction\") does not allow such operation.\nThe check introduced by commit 877afadad2dce8aa (\"Bluetooth: When HCI work\nqueue is drained, only queue chained work\") was incomplete.\nUse hdev->workqueue WQ when queuing hdev->{cmd,ncmd}_timer works because\nhci_{cmd,ncmd}_timeout() calls queue_work(hdev->workqueue). Also, protect\nthe queuing operation with RCU read lock in order to avoid calling\nqueue_delayed_work() after cancel_delayed_work() completed.", "n the Linux kernel’s Bluetooth subsystem there is a flaw in the way Bluetooth HCI work items are queued. Under certain conditions, work associated with command timeouts (hdev->{cmd,ncmd}_timer) could be scheduled on the wrong workqueue while the intended workqueue is being drained. This occurs because the queuing logic did not fully account for workqueue destruction and lacked proper synchronization. An unprivileged local user interacting with Bluetooth interfaces may be able to trigger a system crash or denial of service by causing this improper scheduling" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Under investigation", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50833\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50833\nhttps://lore.kernel.org/linux-cve-announce/2025123017-CVE-2022-50833-92af@gregkh/T" ], "name" : "CVE-2022-50833", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }