CVE-2022-49474

Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

MITRE
TN

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout Connecting the same socket twice consecutively in sco_sock_connect()
could lead to a race condition where two sco_conn objects are created
but only one is associated with the socket. If the socket is closed
before the SCO connection is established, the timer associated with the
dangling sco_conn object won't be canceled. As the sock object is being
freed, the use-after-free problem happens when the timer callback
function sco_sock_timeout() accesses the socket. Here's the call trace: dump_stack+0x107/0x163
? refcount_inc+0x1c/
print_address_description.constprop.0+0x1c/0x47e
? refcount_inc+0x1c/0x7b
kasan_report+0x13a/0x173
? refcount_inc+0x1c/0x7b
check_memory_region+0x132/0x139
refcount_inc+0x1c/0x7b
sco_sock_timeout+0xb2/0x1ba
process_one_work+0x739/0xbd1
? cancel_delayed_work+0x13f/0x13f
? __raw_spin_lock_init+0xf0/0xf0
? to_kthread+0x59/0x85
worker_thread+0x593/0x70e
kthread+0x346/0x35a
? drain_workqueue+0x31a/0x31a
? kthread_bind+0x4b/0x4b
ret_from_fork+0x1f/0x30

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout Connecting the same socket twice consecutively in sco_sock_connect() could lead to a race condition where two sco_conn objects are created but only one is associated with the socket. If the socket is closed before the SCO connection is established, the timer associated with the dangling sco_conn object won't be canceled. As the sock object is being freed, the use-after-free problem happens when the timer callback function sco_sock_timeout() accesses the socket. Here's the call trace: dump_stack+0x107/0x163 ? refcount_inc+0x1c/ print_address_description.constprop.0+0x1c/0x47e ? refcount_inc+0x1c/0x7b kasan_report+0x13a/0x173 ? refcount_inc+0x1c/0x7b check_memory_region+0x132/0x139 refcount_inc+0x1c/0x7b sco_sock_timeout+0xb2/0x1ba process_one_work+0x739/0xbd1 ? cancel_delayed_work+0x13f/0x13f ? __raw_spin_lock_init+0xf0/0xf0 ? to_kthread+0x59/0x85 worker_thread+0x593/0x70e kthread+0x346/0x35a ? drain_workqueue+0x31a/0x31a ? kthread_bind+0x4b/0x4b ret_from_fork+0x1f/0x30

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-02-26 CVE Reserved
2025-02-26 CVE Published
2025-02-26 CVE Updated
---------- EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (18)

URL	Tag	Source
https://git.kernel.org/stable/c/22c66af08230a7030bdb88accffaec3424695631	Vuln. Introduced
https://git.kernel.org/stable/c/0115a66ebb44bd9127ccb58cf43ed23c795eb1f0	Vuln. Introduced
https://git.kernel.org/stable/c/bc4b08383046f3282b6fa58cfcef05bd13e52b93	Vuln. Introduced
https://git.kernel.org/stable/c/5ccb04c6e1fb7b97fa2e1785b67c3a1cb3527ef7	Vuln. Introduced
https://git.kernel.org/stable/c/059c2c09f4b7f97711d0d8eaa0b9877f5e7d0a75	Vuln. Introduced
https://git.kernel.org/stable/c/e1dee2c1de2b4dd00eb44004a4bda6326ed07b59	Vuln. Introduced
https://git.kernel.org/stable/c/98ae477ed1540d3acbbf44d88ee237ad64275158	Vuln. Introduced
https://git.kernel.org/stable/c/f0c389e23e2475e5837716a629c81b7a9d90cc94	Vuln. Introduced
https://git.kernel.org/stable/c/0b9da4bde0d59c61b3675bdd80a05a726beb875a	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/9de3dc09e56f8deacd2bdbf4cecb71e11a312405	2022-06-14
https://git.kernel.org/stable/c/7d61dbd7311ab978d8ddac1749a758de4de00374	2022-06-14
https://git.kernel.org/stable/c/390d82733a953c1fabf3de9c9618091a7a9c90a6	2022-06-14
https://git.kernel.org/stable/c/6f55fac0af3531cf60d11369454c41f5fc81ab3f	2022-06-14
https://git.kernel.org/stable/c/36c644c63bfcaee2d3a426f45e89a9cd09799318	2022-06-09
https://git.kernel.org/stable/c/65d347cb39e2e6bd0c2a745ad7c928998ebb0162	2022-06-09
https://git.kernel.org/stable/c/537f619dea4e3fa8ed1f8f938abffe3615794bcc	2022-06-09
https://git.kernel.org/stable/c/99df16007f4bbf9abfc3478cb17d10f0d7f8906e	2022-06-09
https://git.kernel.org/stable/c/7aa1e7d15f8a5b65f67bacb100d8fc033b21efa2	2022-05-13

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.9.283 < 4.9.318 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9.283 < 4.9.318"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14.247 < 4.14.283 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14.247 < 4.14.283"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19.207 < 4.19.247 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19.207 < 4.19.247"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4.146 < 5.4.198 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.146 < 5.4.198"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.65 < 5.10.121 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.65 < 5.10.121"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 5.15.46 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.15.46"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 5.17.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.17.14"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 5.18.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.18.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 5.19 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.19"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.4.284 Search vendor "Linux" for product "Linux Kernel" and version "4.4.284"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.13.17 Search vendor "Linux" for product "Linux Kernel" and version "5.13.17"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.14.4 Search vendor "Linux" for product "Linux Kernel" and version "5.14.4"		en		Affected