CVE-2022-49470: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event We should not access skb buffer data anymore after hci_recv_frame was called. [ 39.634809] BUG: KASAN: use-after-free in btmtksdio_recv_event+0x1b0 [ 39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker [ 39.634962] Call trace: [ 39.634974] dump_backtrace+0x0/0x3b8 [ 39.634999] show_stack+0x20/0x2c [ 39.635016] dump_stack_lvl+0x60/0x78 [ 39.635040] print_address_description+0x70/0x2f0 [ 39.635062] kasan_report+0x154/0x194 [ 39.635079] __asan_report_load1_noabort+0x44/0x50 [ 39.635099] btmtksdio_recv_event+0x1b0/0x1c4 [ 39.635129] btmtksdio_txrx_work+0x6cc/0xac4 [ 39.635157] process_one_work+0x560/0xc5c [ 39.635177] worker_thread+0x7ec/0xcc0 [ 39.635195] kthread+0x2d0/0x3d0 [ 39.635215] ret_from_fork+0x10/0x20 [ 39.635247] Allocated by task 0: [ 39.635260] (stack is not available) [ 39.635281] Freed by task 2392: [ 39.635295] kasan_save_stack+0x38/0x68 [ 39.635319] kasan_set_track+0x28/0x3c [ 39.635338] kasan_set_free_info+0x28/0x4c [ 39.635357] ____kasan_slab_free+0x104/0x150 [ 39.635374] __kasan_slab_free+0x18/0x28 [ 39.635391] slab_free_freelist_hook+0x114/0x248 [ 39.635410] kfree+0xf8/0x2b4 [ 39.635427] skb_free_head+0x58/0x98 [ 39.635447] skb_release_data+0x2f4/0x410 [ 39.635464] skb_release_all+0x50/0x60 [ 39.635481] kfree_skb+0xc8/0x25c [ 39.635498] hci_event_packet+0x894/0xca4 [bluetooth] [ 39.635721] hci_rx_work+0x1c8/0x68c [bluetooth] [ 39.635925] process_one_work+0x560/0xc5c [ 39.635951] worker_thread+0x7ec/0xcc0 [ 39.635970] kthread+0x2d0/0x3d0 [ 39.635990] ret_from_fork+0x10/0x20 [ 39.636021] The buggy address belongs to the object at ffffff80cf28a600 which belongs to the cache kmalloc-512 of size 512 [ 39.636039] The buggy address is located 13 bytes inside of 512-byte region [ffffff80cf28a600, ffffff80cf28a800)
AI Analysis
Technical Summary
CVE-2022-49470 is a high-severity use-after-free vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the btmtksdio driver. The vulnerability arises from improper handling of socket buffer (skb) memory after the function hci_recv_frame is called. The kernel attempts to access skb buffer data that has already been freed, leading to a use-after-free condition. This is evidenced by kernel address sanitizer (KASAN) reports showing reads from freed memory regions during the execution of btmtksdio_recv_event. The vulnerable code path involves the processing of Bluetooth events received over the MediaTek SDIO interface, where the skb buffer is freed prematurely but still accessed afterward. Exploitation of this flaw could allow a local attacker with limited privileges (PR:L) to execute arbitrary code or cause denial of service (DoS) by crashing the kernel, as the vulnerability impacts confidentiality, integrity, and availability. The CVSS v3.1 score of 7.8 reflects the high impact and relatively low complexity of exploitation, with no user interaction required and privileges needed only at the local level. The vulnerability affects specific Linux kernel versions identified by commit hashes, and while no known exploits are currently reported in the wild, the presence of a use-after-free in kernel Bluetooth drivers is a significant risk, especially on systems utilizing MediaTek Bluetooth chipsets. The vulnerability is categorized under CWE-416 (Use After Free).
Potential Impact
For European organizations, this vulnerability poses a considerable risk, particularly for those relying on Linux-based systems with Bluetooth capabilities using MediaTek chipsets. Potential impacts include kernel crashes leading to system downtime, which can disrupt business operations, especially in environments with critical infrastructure or industrial control systems. Confidential data could be exposed or manipulated if an attacker leverages this flaw to escalate privileges or execute arbitrary code within the kernel context. This is particularly concerning for sectors such as finance, healthcare, and government agencies that handle sensitive information. Additionally, the vulnerability could be exploited to compromise endpoint devices, leading to lateral movement within corporate networks. Given the widespread use of Linux in servers, embedded devices, and IoT systems across Europe, the vulnerability could affect a broad range of assets if unpatched. The requirement for local privileges limits remote exploitation but does not eliminate risk, as attackers could gain initial access through other means and then exploit this flaw to deepen their control.
Mitigation Recommendations
Organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since the vulnerability is specific to the btmtksdio driver, systems not using MediaTek Bluetooth hardware may be at lower risk but should still apply updates to maintain overall security. Beyond patching, organizations should implement strict access controls to limit local user privileges, reducing the likelihood of exploitation by untrusted users. Employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and enabling kernel lockdown modes can further mitigate exploitation risks. Monitoring kernel logs for KASAN reports or unusual Bluetooth-related errors can help detect attempted exploitation. For embedded or IoT devices where patching is challenging, consider disabling Bluetooth functionality if not required or isolating such devices from critical network segments. Regular vulnerability scanning and asset inventory to identify affected systems will aid in targeted remediation efforts. Finally, maintain up-to-date incident response plans to quickly address potential exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland
CVE-2022-49470: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event We should not access skb buffer data anymore after hci_recv_frame was called. [ 39.634809] BUG: KASAN: use-after-free in btmtksdio_recv_event+0x1b0 [ 39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker [ 39.634962] Call trace: [ 39.634974] dump_backtrace+0x0/0x3b8 [ 39.634999] show_stack+0x20/0x2c [ 39.635016] dump_stack_lvl+0x60/0x78 [ 39.635040] print_address_description+0x70/0x2f0 [ 39.635062] kasan_report+0x154/0x194 [ 39.635079] __asan_report_load1_noabort+0x44/0x50 [ 39.635099] btmtksdio_recv_event+0x1b0/0x1c4 [ 39.635129] btmtksdio_txrx_work+0x6cc/0xac4 [ 39.635157] process_one_work+0x560/0xc5c [ 39.635177] worker_thread+0x7ec/0xcc0 [ 39.635195] kthread+0x2d0/0x3d0 [ 39.635215] ret_from_fork+0x10/0x20 [ 39.635247] Allocated by task 0: [ 39.635260] (stack is not available) [ 39.635281] Freed by task 2392: [ 39.635295] kasan_save_stack+0x38/0x68 [ 39.635319] kasan_set_track+0x28/0x3c [ 39.635338] kasan_set_free_info+0x28/0x4c [ 39.635357] ____kasan_slab_free+0x104/0x150 [ 39.635374] __kasan_slab_free+0x18/0x28 [ 39.635391] slab_free_freelist_hook+0x114/0x248 [ 39.635410] kfree+0xf8/0x2b4 [ 39.635427] skb_free_head+0x58/0x98 [ 39.635447] skb_release_data+0x2f4/0x410 [ 39.635464] skb_release_all+0x50/0x60 [ 39.635481] kfree_skb+0xc8/0x25c [ 39.635498] hci_event_packet+0x894/0xca4 [bluetooth] [ 39.635721] hci_rx_work+0x1c8/0x68c [bluetooth] [ 39.635925] process_one_work+0x560/0xc5c [ 39.635951] worker_thread+0x7ec/0xcc0 [ 39.635970] kthread+0x2d0/0x3d0 [ 39.635990] ret_from_fork+0x10/0x20 [ 39.636021] The buggy address belongs to the object at ffffff80cf28a600 which belongs to the cache kmalloc-512 of size 512 [ 39.636039] The buggy address is located 13 bytes inside of 512-byte region [ffffff80cf28a600, ffffff80cf28a800)
AI-Powered Analysis
Technical Analysis
CVE-2022-49470 is a high-severity use-after-free vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the btmtksdio driver. The vulnerability arises from improper handling of socket buffer (skb) memory after the function hci_recv_frame is called. The kernel attempts to access skb buffer data that has already been freed, leading to a use-after-free condition. This is evidenced by kernel address sanitizer (KASAN) reports showing reads from freed memory regions during the execution of btmtksdio_recv_event. The vulnerable code path involves the processing of Bluetooth events received over the MediaTek SDIO interface, where the skb buffer is freed prematurely but still accessed afterward. Exploitation of this flaw could allow a local attacker with limited privileges (PR:L) to execute arbitrary code or cause denial of service (DoS) by crashing the kernel, as the vulnerability impacts confidentiality, integrity, and availability. The CVSS v3.1 score of 7.8 reflects the high impact and relatively low complexity of exploitation, with no user interaction required and privileges needed only at the local level. The vulnerability affects specific Linux kernel versions identified by commit hashes, and while no known exploits are currently reported in the wild, the presence of a use-after-free in kernel Bluetooth drivers is a significant risk, especially on systems utilizing MediaTek Bluetooth chipsets. The vulnerability is categorized under CWE-416 (Use After Free).
Potential Impact
For European organizations, this vulnerability poses a considerable risk, particularly for those relying on Linux-based systems with Bluetooth capabilities using MediaTek chipsets. Potential impacts include kernel crashes leading to system downtime, which can disrupt business operations, especially in environments with critical infrastructure or industrial control systems. Confidential data could be exposed or manipulated if an attacker leverages this flaw to escalate privileges or execute arbitrary code within the kernel context. This is particularly concerning for sectors such as finance, healthcare, and government agencies that handle sensitive information. Additionally, the vulnerability could be exploited to compromise endpoint devices, leading to lateral movement within corporate networks. Given the widespread use of Linux in servers, embedded devices, and IoT systems across Europe, the vulnerability could affect a broad range of assets if unpatched. The requirement for local privileges limits remote exploitation but does not eliminate risk, as attackers could gain initial access through other means and then exploit this flaw to deepen their control.
Mitigation Recommendations
Organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since the vulnerability is specific to the btmtksdio driver, systems not using MediaTek Bluetooth hardware may be at lower risk but should still apply updates to maintain overall security. Beyond patching, organizations should implement strict access controls to limit local user privileges, reducing the likelihood of exploitation by untrusted users. Employing kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and enabling kernel lockdown modes can further mitigate exploitation risks. Monitoring kernel logs for KASAN reports or unusual Bluetooth-related errors can help detect attempted exploitation. For embedded or IoT devices where patching is challenging, consider disabling Bluetooth functionality if not required or isolating such devices from critical network segments. Regular vulnerability scanning and asset inventory to identify affected systems will aid in targeted remediation efforts. Finally, maintain up-to-date incident response plans to quickly address potential exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.578Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe5b3b
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 7/3/2025, 3:09:44 AM
Last updated: 8/18/2025, 5:24:57 AM
Views: 13
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.