CVE-2022-49111: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use after free in hci_send_acl This fixes the following trace caused by receiving HCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without first checking if conn->type is in fact AMP_LINK and in case it is do properly cleanup upper layers with hci_disconn_cfm: ================================================================== BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50 Read of size 8 at addr ffff88800e404818 by task bluetoothd/142 CPU: 0 PID: 142 Comm: bluetoothd Not tainted 5.17.0-rc5-00006-gda4022eeac1a #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x1f/0x150 kasan_report.cold+0x7f/0x11b hci_send_acl+0xaba/0xc50 l2cap_do_send+0x23f/0x3d0 l2cap_chan_send+0xc06/0x2cc0 l2cap_sock_sendmsg+0x201/0x2b0 sock_sendmsg+0xdc/0x110 sock_write_iter+0x20f/0x370 do_iter_readv_writev+0x343/0x690 do_iter_write+0x132/0x640 vfs_writev+0x198/0x570 do_writev+0x202/0x280 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015 RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77 R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580 RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001 </TASK> R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0 Allocated by task 45: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 hci_chan_create+0x9a/0x2f0 l2cap_conn_add.part.0+0x1a/0xdc0 l2cap_connect_cfm+0x236/0x1000 le_conn_complete_evt+0x15a7/0x1db0 hci_le_conn_complete_evt+0x226/0x2c0 hci_le_meta_evt+0x247/0x450 hci_event_packet+0x61b/0xe90 hci_rx_work+0x4d5/0xc50 process_one_work+0x8fb/0x15a0 worker_thread+0x576/0x1240 kthread+0x29d/0x340 ret_from_fork+0x1f/0x30 Freed by task 45: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0xfb/0x130 kfree+0xac/0x350 hci_conn_cleanup+0x101/0x6a0 hci_conn_del+0x27e/0x6c0 hci_disconn_phylink_complete_evt+0xe0/0x120 hci_event_packet+0x812/0xe90 hci_rx_work+0x4d5/0xc50 process_one_work+0x8fb/0x15a0 worker_thread+0x576/0x1240 kthread+0x29d/0x340 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff88800c0f0500 The buggy address is located 24 bytes inside of which belongs to the cache kmalloc-128 of size 128 The buggy address belongs to the page: 128-byte region [ffff88800c0f0500, ffff88800c0f0580) flags: 0x100000000000200(slab|node=0|zone=1) page:00000000fe45cd86 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc0f0 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 raw: 0100000000000200 ffffea00003a2c80 dead000000000004 ffff8880078418c0 page dumped because: kasan: bad access detected ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc Memory state around the buggy address: >ffff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ---truncated---
AI Analysis
Technical Summary
CVE-2022-49111 is a high-severity use-after-free vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the hci_send_acl function. The flaw arises when the kernel receives the HCI_EV_DISCONN_PHY_LINK_COMPLETE event and calls hci_conn_del without verifying if the connection type is AMP_LINK. If it is, the kernel fails to properly clean up upper layers using hci_disconn_cfm, leading to a use-after-free condition. This vulnerability was detected by Kernel Address Sanitizer (KASAN), which reported an invalid memory read of a freed object. The root cause is improper handling of Bluetooth connection cleanup, where the kernel attempts to access memory that has already been freed. The vulnerability affects multiple Linux kernel versions identified by the same commit hash, indicating a specific code state. Exploitation requires local privileges with low complexity and no user interaction, as indicated by the CVSS vector (AV:L/AC:L/PR:L/UI:N). The impact includes full confidentiality, integrity, and availability compromise of the affected system due to the potential for arbitrary code execution or kernel crashes. No known exploits are currently reported in the wild, but the severity and nature of the bug make it a critical risk for systems relying on Bluetooth functionality. The vulnerability is categorized under CWE-416 (Use After Free), a common and dangerous memory corruption issue. The Linux kernel maintainers have resolved this issue, but no direct patch links are provided in the data. The detailed kernel stack traces and memory state dumps confirm the technical depth of the flaw and the complexity of the Bluetooth stack's connection management.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially those operating Linux-based infrastructure with Bluetooth enabled. This includes enterprises using Linux servers, embedded systems, IoT devices, and mobile devices that rely on Bluetooth connectivity. Exploitation could lead to privilege escalation, allowing attackers to execute arbitrary code in kernel space, resulting in system compromise, data theft, or denial of service. Critical sectors such as manufacturing, healthcare, transportation, and telecommunications that utilize Linux-based Bluetooth-enabled devices could face operational disruptions. Additionally, organizations with remote or hybrid workforces using Linux laptops or devices with Bluetooth enabled are at risk of targeted attacks. The vulnerability's requirement for local privileges means that attackers need some level of access, but the low complexity and no user interaction required lower the barrier for exploitation by insiders or malware that gains initial foothold. The lack of known exploits in the wild provides a window for mitigation, but the high impact on confidentiality, integrity, and availability demands urgent attention.
Mitigation Recommendations
1. Immediate application of Linux kernel updates that address CVE-2022-49111 is critical. Organizations should monitor official Linux kernel repositories and distributions for patches and apply them promptly. 2. Disable Bluetooth functionality on Linux systems where it is not required, reducing the attack surface. 3. For systems requiring Bluetooth, implement strict access controls to limit local user privileges and prevent unauthorized code execution. 4. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 5. Monitor system logs and kernel messages for unusual Bluetooth-related errors or crashes that may indicate exploitation attempts. 6. Use endpoint detection and response (EDR) tools capable of detecting anomalous kernel behavior or privilege escalation attempts. 7. Conduct regular security audits of Linux systems focusing on Bluetooth usage and kernel version compliance. 8. Educate system administrators and users about the risks of local privilege escalation vulnerabilities and enforce least privilege principles.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2022-49111: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use after free in hci_send_acl This fixes the following trace caused by receiving HCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without first checking if conn->type is in fact AMP_LINK and in case it is do properly cleanup upper layers with hci_disconn_cfm: ================================================================== BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50 Read of size 8 at addr ffff88800e404818 by task bluetoothd/142 CPU: 0 PID: 142 Comm: bluetoothd Not tainted 5.17.0-rc5-00006-gda4022eeac1a #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x1f/0x150 kasan_report.cold+0x7f/0x11b hci_send_acl+0xaba/0xc50 l2cap_do_send+0x23f/0x3d0 l2cap_chan_send+0xc06/0x2cc0 l2cap_sock_sendmsg+0x201/0x2b0 sock_sendmsg+0xdc/0x110 sock_write_iter+0x20f/0x370 do_iter_readv_writev+0x343/0x690 do_iter_write+0x132/0x640 vfs_writev+0x198/0x570 do_writev+0x202/0x280 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015 RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77 R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580 RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001 </TASK> R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0 Allocated by task 45: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 hci_chan_create+0x9a/0x2f0 l2cap_conn_add.part.0+0x1a/0xdc0 l2cap_connect_cfm+0x236/0x1000 le_conn_complete_evt+0x15a7/0x1db0 hci_le_conn_complete_evt+0x226/0x2c0 hci_le_meta_evt+0x247/0x450 hci_event_packet+0x61b/0xe90 hci_rx_work+0x4d5/0xc50 process_one_work+0x8fb/0x15a0 worker_thread+0x576/0x1240 kthread+0x29d/0x340 ret_from_fork+0x1f/0x30 Freed by task 45: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0xfb/0x130 kfree+0xac/0x350 hci_conn_cleanup+0x101/0x6a0 hci_conn_del+0x27e/0x6c0 hci_disconn_phylink_complete_evt+0xe0/0x120 hci_event_packet+0x812/0xe90 hci_rx_work+0x4d5/0xc50 process_one_work+0x8fb/0x15a0 worker_thread+0x576/0x1240 kthread+0x29d/0x340 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff88800c0f0500 The buggy address is located 24 bytes inside of which belongs to the cache kmalloc-128 of size 128 The buggy address belongs to the page: 128-byte region [ffff88800c0f0500, ffff88800c0f0580) flags: 0x100000000000200(slab|node=0|zone=1) page:00000000fe45cd86 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc0f0 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 raw: 0100000000000200 ffffea00003a2c80 dead000000000004 ffff8880078418c0 page dumped because: kasan: bad access detected ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc Memory state around the buggy address: >ffff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-49111 is a high-severity use-after-free vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the hci_send_acl function. The flaw arises when the kernel receives the HCI_EV_DISCONN_PHY_LINK_COMPLETE event and calls hci_conn_del without verifying if the connection type is AMP_LINK. If it is, the kernel fails to properly clean up upper layers using hci_disconn_cfm, leading to a use-after-free condition. This vulnerability was detected by Kernel Address Sanitizer (KASAN), which reported an invalid memory read of a freed object. The root cause is improper handling of Bluetooth connection cleanup, where the kernel attempts to access memory that has already been freed. The vulnerability affects multiple Linux kernel versions identified by the same commit hash, indicating a specific code state. Exploitation requires local privileges with low complexity and no user interaction, as indicated by the CVSS vector (AV:L/AC:L/PR:L/UI:N). The impact includes full confidentiality, integrity, and availability compromise of the affected system due to the potential for arbitrary code execution or kernel crashes. No known exploits are currently reported in the wild, but the severity and nature of the bug make it a critical risk for systems relying on Bluetooth functionality. The vulnerability is categorized under CWE-416 (Use After Free), a common and dangerous memory corruption issue. The Linux kernel maintainers have resolved this issue, but no direct patch links are provided in the data. The detailed kernel stack traces and memory state dumps confirm the technical depth of the flaw and the complexity of the Bluetooth stack's connection management.
Potential Impact
For European organizations, this vulnerability poses a significant risk, especially those operating Linux-based infrastructure with Bluetooth enabled. This includes enterprises using Linux servers, embedded systems, IoT devices, and mobile devices that rely on Bluetooth connectivity. Exploitation could lead to privilege escalation, allowing attackers to execute arbitrary code in kernel space, resulting in system compromise, data theft, or denial of service. Critical sectors such as manufacturing, healthcare, transportation, and telecommunications that utilize Linux-based Bluetooth-enabled devices could face operational disruptions. Additionally, organizations with remote or hybrid workforces using Linux laptops or devices with Bluetooth enabled are at risk of targeted attacks. The vulnerability's requirement for local privileges means that attackers need some level of access, but the low complexity and no user interaction required lower the barrier for exploitation by insiders or malware that gains initial foothold. The lack of known exploits in the wild provides a window for mitigation, but the high impact on confidentiality, integrity, and availability demands urgent attention.
Mitigation Recommendations
1. Immediate application of Linux kernel updates that address CVE-2022-49111 is critical. Organizations should monitor official Linux kernel repositories and distributions for patches and apply them promptly. 2. Disable Bluetooth functionality on Linux systems where it is not required, reducing the attack surface. 3. For systems requiring Bluetooth, implement strict access controls to limit local user privileges and prevent unauthorized code execution. 4. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 5. Monitor system logs and kernel messages for unusual Bluetooth-related errors or crashes that may indicate exploitation attempts. 6. Use endpoint detection and response (EDR) tools capable of detecting anomalous kernel behavior or privilege escalation attempts. 7. Conduct regular security audits of Linux systems focusing on Bluetooth usage and kernel version compliance. 8. Educate system administrators and users about the risks of local privilege escalation vulnerabilities and enforce least privilege principles.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.261Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6b92
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/3/2025, 3:40:29 AM
Last updated: 8/17/2025, 2:07:50 AM
Views: 20
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.