{ "threat_severity" : "Moderate", "public_date" : "2024-04-17T00:00:00Z", "bugzilla" : { "description" : "kernel: Bluetooth: af_bluetooth: Fix deadlock", "id" : "2275678", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2275678" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-833", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: af_bluetooth: Fix deadlock\nAttemting to do sock_lock on .recvmsg may cause a deadlock as shown\nbellow, so instead of using sock_sock this uses sk_receive_queue.lock\non bt_sock_ioctl to avoid the UAF:\nINFO: task kworker/u9:1:121 blocked for more than 30 seconds.\nNot tainted 6.7.6-lemon #183\nWorkqueue: hci0 hci_rx_work\nCall Trace:\n\n__schedule+0x37d/0xa00\nschedule+0x32/0xe0\n__lock_sock+0x68/0xa0\n? __pfx_autoremove_wake_function+0x10/0x10\nlock_sock_nested+0x43/0x50\nl2cap_sock_recv_cb+0x21/0xa0\nl2cap_recv_frame+0x55b/0x30a0\n? psi_task_switch+0xeb/0x270\n? finish_task_switch.isra.0+0x93/0x2a0\nhci_rx_work+0x33a/0x3f0\nprocess_one_work+0x13a/0x2f0\nworker_thread+0x2f0/0x410\n? __pfx_worker_thread+0x10/0x10\nkthread+0xe0/0x110\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x2c/0x50\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1b/0x30\n", "A flaw was found in the Linux kernel’s Bluetooth subsystem, specifically within the af_bluetooth module. The issue arises when attempting to perform a sock_lock on the .recvmsg method, leading to a deadlock situation. In this scenario, multiple tasks wait indefinitely for a resource, causing significant performance degradation or system crashes.\nThe vulnerability occurs during Bluetooth operations, where tasks are blocked for more than 30 seconds, creating potential instability. The solution was to replace the sock_sock lock with the sk_receive_queue.lock in the bt_sock_ioctl function to prevent a use-after-free (UAF) condition and avoid the deadlock." ], "statement" : "This flaw has been rated as having a Moderate impact because it is believed to be difficult to exploit and cannot be used to achieve local privilege escalation.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-09-11T00:00:00Z", "advisory" : "RHSA-2024:6567", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.35.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-09-11T00:00:00Z", "advisory" : "RHSA-2024:6567", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.35.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-09-18T00:00:00Z", "advisory" : "RHSA-2024:6744", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "kernel-0:5.14.0-284.84.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-09-18T00:00:00Z", "advisory" : "RHSA-2024:6745", "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.84.1.rt14.369.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26886\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26886\nhttps://lore.kernel.org/linux-cve-announce/2024041742-CVE-2024-26886-6345@gregkh/T" ], "name" : "CVE-2024-26886", "csaw" : false }