CVE-2024-26801

Bluetooth: Avoid potential use-after-free in hci_error_reset

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Avoid potential use-after-free in hci_error_reset While handling the HCI_EV_HARDWARE_ERROR event, if the underlying
BT controller is not responding, the GPIO reset mechanism would
free the hci_dev and lead to a use-after-free in hci_error_reset. Here's the call trace observed on a ChromeOS device with Intel AX201: queue_work_on+0x3e/0x6c __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>] ? init_wait_entry+0x31/0x31 __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>] hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>] process_one_work+0x1d8/0x33f worker_thread+0x21b/0x373 kthread+0x13a/0x152 ? pr_cont_work+0x54/0x54 ? kthread_blkcg+0x31/0x31 ret_from_fork+0x1f/0x30 This patch holds the reference count on the hci_dev while processing
a HCI_EV_HARDWARE_ERROR event to avoid potential crash.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Bluetooth: evite el posible use-after-free en hci_error_reset Mientras se maneja el evento HCI_EV_HARDWARE_ERROR, si el controlador BT subyacente no responde, el mecanismo de reinicio de GPIO liberaría hci_dev y provocaría un error. use-after-free en hci_error_reset. Este es el seguimiento de llamadas observado en un dispositivo ChromeOS con Intel AX201: queue_work_on+0x3e/0x6c __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth ] ? init_wait_entry+0x31/0x31 __hci_cmd_sync+0x16/0x20 [bluetooth ] hci_error_reset+0x4f/0xa4 [bluetooth ] Process_one_work+0x1d8/0x33f trabajador_thread+0x21b/0x373 kthread+0x13a /0x152 ? pr_cont_work+0x54/0x54? kthread_blkcg+0x31/0x31 ret_from_fork+0x1f/0x30 Este parche mantiene el recuento de referencias en hci_dev mientras procesa un evento HCI_EV_HARDWARE_ERROR para evitar posibles fallas.

A use-after-free flaw was found in the Linux kernel’s Bluetooth subsystem in how it handles hardware failure when it occurs. This flaw allows a local user to potentially crash the system.

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Avoid potential use-after-free in hci_error_reset While handling the HCI_EV_HARDWARE_ERROR event, if the underlying BT controller is not responding, the GPIO reset mechanism would free the hci_dev and lead to a use-after-free in hci_error_reset. Here's the call trace observed on a ChromeOS device with Intel AX201: queue_work_on+0x3e/0x6c __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>] ? init_wait_entry+0x31/0x31 __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>] hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>] process_one_work+0x1d8/0x33f worker_thread+0x21b/0x373 kthread+0x13a/0x152 ? pr_cont_work+0x54/0x54 ? kthread_blkcg+0x31/0x31 ret_from_fork+0x1f/0x30 This patch holds the reference count on the hci_dev while processing a HCI_EV_HARDWARE_ERROR event to avoid potential crash.

Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service. Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffrida discovered that the Linux kernel mitigations for the initial Branch History Injection vulnerability were insufficient for Intel processors. A local attacker could potentially use this to expose sensitive information.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-04 CVE Published
2024-12-19 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (13)

URL	Tag	Source
https://git.kernel.org/stable/c/c7741d16a57cbf97eebe53f27e8216b1ff20e20c	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03	2024-03-06
https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090	2024-03-06
https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2	2024-03-06
https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14	2024-03-06
https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1	2024-03-06
https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b	2024-03-06
https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6b0711d1	2024-03-06
https://git.kernel.org/stable/c/2449007d3f73b2842c9734f45f0aadb522daf592	2024-02-28

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-26801	2024-07-23
https://bugzilla.redhat.com/show_bug.cgi?id=2273429	2024-07-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.0 < 4.19.309 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.0 < 4.19.309"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.0 < 5.4.271 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.0 < 5.4.271"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.0 < 5.10.212 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.0 < 5.10.212"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.0 < 5.15.151 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.0 < 5.15.151"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.0 < 6.1.81 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.0 < 6.1.81"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.0 < 6.6.21 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.0 < 6.6.21"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.0 < 6.7.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.0 < 6.7.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.0 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.0 < 6.8"		en		Affected