{
  "threat_severity" : "Moderate",
  "public_date" : "2024-10-21T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Bluetooth: L2CAP: Fix uaf in l2cap_connect",
    "id" : "2320459",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2320459"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: L2CAP: Fix uaf in l2cap_connect\n[Syzbot reported]\nBUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949\nRead of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54\nCPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nWorkqueue: hci2 hci_rx_work\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:93 [inline]\ndump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119\nprint_address_description mm/kasan/report.c:377 [inline]\nprint_report+0xc3/0x620 mm/kasan/report.c:488\nkasan_report+0xd9/0x110 mm/kasan/report.c:601\nl2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949\nl2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline]\nl2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline]\nl2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline]\nl2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825\nl2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514\nhci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]\nhci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028\nprocess_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231\nprocess_scheduled_works kernel/workqueue.c:3312 [inline]\nworker_thread+0x6c8/0xed0 kernel/workqueue.c:3389\nkthread+0x2c1/0x3a0 kernel/kthread.c:389\nret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n...\nFreed by task 5245:\nkasan_save_stack+0x33/0x60 mm/kasan/common.c:47\nkasan_save_track+0x14/0x30 mm/kasan/common.c:68\nkasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579\npoison_slab_object+0xf7/0x160 mm/kasan/common.c:240\n__kasan_slab_free+0x32/0x50 mm/kasan/common.c:256\nkasan_slab_free include/linux/kasan.h:184 [inline]\nslab_free_hook mm/slub.c:2256 [inline]\nslab_free mm/slub.c:4477 [inline]\nkfree+0x12a/0x3b0 mm/slub.c:4598\nl2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline]\nkref_put include/linux/kref.h:65 [inline]\nl2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline]\nl2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802\nl2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241\nhci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]\nhci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265\nhci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583\nabort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917\nhci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328\nprocess_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231\nprocess_scheduled_works kernel/workqueue.c:3312 [inline]\nworker_thread+0x6c8/0xed0 kernel/workqueue.c:3389\nkthread+0x2c1/0x3a0 kernel/kthread.c:389\nret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244" ],
  "statement" : "This issue is considered to be a moderate impact flaw, as the exploitation for this will need an ADMIN (or ROOT) privilege (PR:H).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-49950\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-49950\nhttps://lore.kernel.org/linux-cve-announce/2024102129-CVE-2024-49950-bbf4@gregkh/T" ],
  "name" : "CVE-2024-49950",
  "csaw" : false
}