{ "threat_severity" : "Moderate", "public_date" : "2025-12-08T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel Bluetooth: Denial of Service due to use-after-free in connection handling", "id" : "2419838", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2419838" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync\nUse-after-free can occur in hci_disconnect_all_sync if a connection is\ndeleted by concurrent processing of a controller event.\nTo prevent this the code now tries to iterate over the list backwards\nto ensure the links are cleanup before its parents, also it no longer\nrelies on a cursor, instead it always uses the last element since\nhci_abort_conn_sync is guaranteed to call hci_conn_del.\nUAF crash log:\n==================================================================\nBUG: KASAN: slab-use-after-free in hci_set_powered_sync\n(net/bluetooth/hci_sync.c:5424) [bluetooth]\nRead of size 8 at addr ffff888009d9c000 by task kworker/u9:0/124\nCPU: 0 PID: 124 Comm: kworker/u9:0 Tainted: G W\n6.5.0-rc1+ #10\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n1.16.2-1.fc38 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work [bluetooth]\nCall Trace:\n\ndump_stack_lvl+0x5b/0x90\nprint_report+0xcf/0x670\n? __virt_addr_valid+0xdd/0x160\n? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]\nkasan_report+0xa6/0xe0\n? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]\n? __pfx_set_powered_sync+0x10/0x10 [bluetooth]\nhci_set_powered_sync+0x2c9/0x4a0 [bluetooth]\n? __pfx_hci_set_powered_sync+0x10/0x10 [bluetooth]\n? __pfx_lock_release+0x10/0x10\n? __pfx_set_powered_sync+0x10/0x10 [bluetooth]\nhci_cmd_sync_work+0x137/0x220 [bluetooth]\nprocess_one_work+0x526/0x9d0\n? __pfx_process_one_work+0x10/0x10\n? __pfx_do_raw_spin_lock+0x10/0x10\n? mark_held_locks+0x1a/0x90\nworker_thread+0x92/0x630\n? __pfx_worker_thread+0x10/0x10\nkthread+0x196/0x1e0\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x2c/0x50\n\nAllocated by task 1782:\nkasan_save_stack+0x33/0x60\nkasan_set_track+0x25/0x30\n__kasan_kmalloc+0x8f/0xa0\nhci_conn_add+0xa5/0xa80 [bluetooth]\nhci_bind_cis+0x881/0x9b0 [bluetooth]\niso_connect_cis+0x121/0x520 [bluetooth]\niso_sock_connect+0x3f6/0x790 [bluetooth]\n__sys_connect+0x109/0x130\n__x64_sys_connect+0x40/0x50\ndo_syscall_64+0x60/0x90\nentry_SYSCALL_64_after_hwframe+0x6e/0xd8\nFreed by task 695:\nkasan_save_stack+0x33/0x60\nkasan_set_track+0x25/0x30\nkasan_save_free_info+0x2b/0x50\n__kasan_slab_free+0x10a/0x180\n__kmem_cache_free+0x14d/0x2e0\ndevice_release+0x5d/0xf0\nkobject_put+0xdf/0x270\nhci_disconn_complete_evt+0x274/0x3a0 [bluetooth]\nhci_event_packet+0x579/0x7e0 [bluetooth]\nhci_rx_work+0x287/0xaa0 [bluetooth]\nprocess_one_work+0x526/0x9d0\nworker_thread+0x92/0x630\nkthread+0x196/0x1e0\nret_from_fork+0x2c/0x50\n==================================================================", "A flaw was found in the Linux kernel's Bluetooth subsystem. A use-after-free (UAF) vulnerability exists in the `hci_disconnect_all_sync` function. This can occur if a Bluetooth connection is deleted while a controller event is being processed concurrently. A local attacker could potentially exploit this flaw to trigger a system crash, leading to a Denial of Service." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2821", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.105.1.rt7.446.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-16T00:00:00Z", "advisory" : "RHSA-2026:2720", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.105.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3267", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.158.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3358", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.158.1.rt14.443.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53762\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53762\nhttps://lore.kernel.org/linux-cve-announce/2025120845-CVE-2023-53762-01bc@gregkh/T" ], "name" : "CVE-2023-53762", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }