{ "threat_severity" : "Moderate", "public_date" : "2024-05-23T00:00:00Z", "bugzilla" : { "description" : "kernel: Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()", "id" : "2282952", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2282952" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()\nExtend a critical section to prevent chan from early freeing.\nAlso make the l2cap_connect() return type void. Nothing is using the\nreturned value but it is ugly to return a potentially freed pointer.\nMaking it void will help with backports because earlier kernels did use\nthe return value. Now the compile will break for kernels where this\npatch is not a complete fix.\nCall stack summary:\n[use]\nl2cap_bredr_sig_cmd\nl2cap_connect\n┌ mutex_lock(&conn->chan_lock);\n│ chan = pchan->ops->new_connection(pchan); <- alloc chan\n│ __l2cap_chan_add(conn, chan);\n│ l2cap_chan_hold(chan);\n│ list_add(&chan->list, &conn->chan_l); ... (1)\n└ mutex_unlock(&conn->chan_lock);\nchan->conf_state ... (4) <- use after free\n[free]\nl2cap_conn_del\n┌ mutex_lock(&conn->chan_lock);\n│ foreach chan in conn->chan_l: ... (2)\n│ l2cap_chan_put(chan);\n│ l2cap_chan_destroy\n│ kfree(chan) ... (3) <- chan freed\n└ mutex_unlock(&conn->chan_lock);\n==================================================================\nBUG: KASAN: slab-use-after-free in instrument_atomic_read\ninclude/linux/instrumented.h:68 [inline]\nBUG: KASAN: slab-use-after-free in _test_bit\ninclude/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\nBUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0\nnet/bluetooth/l2cap_core.c:4260\nRead of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311", "A use-after-free vulnerability exists in the Bluetooth stack of the Linux kernel. The l2cap_connect() does not return void during the function return, potentially leading to a loss of system availability." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-36013\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36013\nhttps://lore.kernel.org/linux-cve-announce/2024052314-CVE-2024-36013-0c90@gregkh/T" ], "name" : "CVE-2024-36013", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }