CVE-2022-49474: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout Connecting the same socket twice consecutively in sco_sock_connect() could lead to a race condition where two sco_conn objects are created but only one is associated with the socket. If the socket is closed before the SCO connection is established, the timer associated with the dangling sco_conn object won't be canceled. As the sock object is being freed, the use-after-free problem happens when the timer callback function sco_sock_timeout() accesses the socket. Here's the call trace: dump_stack+0x107/0x163 ? refcount_inc+0x1c/ print_address_description.constprop.0+0x1c/0x47e ? refcount_inc+0x1c/0x7b kasan_report+0x13a/0x173 ? refcount_inc+0x1c/0x7b check_memory_region+0x132/0x139 refcount_inc+0x1c/0x7b sco_sock_timeout+0xb2/0x1ba process_one_work+0x739/0xbd1 ? cancel_delayed_work+0x13f/0x13f ? __raw_spin_lock_init+0xf0/0xf0 ? to_kthread+0x59/0x85 worker_thread+0x593/0x70e kthread+0x346/0x35a ? drain_workqueue+0x31a/0x31a ? kthread_bind+0x4b/0x4b ret_from_fork+0x1f/0x30
AI Analysis
Technical Summary
CVE-2022-49474 is a high-severity vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the SCO (Synchronous Connection-Oriented) socket handling code. The flaw arises from a race condition in the function sco_sock_connect(), where connecting the same socket twice consecutively can lead to the creation of two sco_conn objects, but only one is properly associated with the socket. If the socket is closed before the SCO connection is fully established, the timer linked to the dangling sco_conn object is not canceled. Consequently, when the socket object is freed, the timer callback function sco_sock_timeout() may access this freed memory, resulting in a use-after-free condition (CWE-416). This vulnerability can lead to memory corruption, potentially allowing an attacker to execute arbitrary code with kernel privileges or cause a denial of service (system crash). The vulnerability requires local privileges (low privilege user) to exploit and does not require user interaction. The CVSS v3.1 score is 7.8 (high), reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and requiring privileges but no user interaction. The issue affects multiple Linux kernel versions identified by specific commit hashes. The vulnerability has been publicly disclosed and patched, though no known exploits in the wild have been reported yet. The technical details include kernel stack traces indicating the use-after-free triggered in sco_sock_timeout(). This vulnerability is significant because Bluetooth is widely used in Linux systems, including desktops, laptops, embedded devices, and IoT, making the attack surface broad. Exploitation could allow privilege escalation or kernel-level code execution, impacting system security and stability.
Potential Impact
For European organizations, this vulnerability poses a substantial risk especially to environments relying on Linux systems with Bluetooth enabled. Enterprises using Linux-based laptops, desktops, servers, or embedded devices with Bluetooth connectivity could be targeted for privilege escalation attacks or denial of service, potentially disrupting business operations or leading to data breaches. Industrial control systems and IoT devices running vulnerable Linux kernels could also be compromised, affecting critical infrastructure sectors such as manufacturing, energy, and transportation prevalent in Europe. The confidentiality, integrity, and availability of systems could be severely impacted, with attackers gaining kernel-level access to sensitive systems. Given the widespread use of Linux in European governments, research institutions, and enterprises, the vulnerability could be leveraged for espionage or sabotage. The requirement for local privileges limits remote exploitation but insider threats or compromised user accounts could still trigger attacks. The absence of known exploits in the wild currently reduces immediate risk, but the high severity and ease of exploitation once local access is obtained necessitate urgent mitigation.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2022-49474. Since the vulnerability is in the Bluetooth SCO socket handling, disabling Bluetooth on systems where it is not required can reduce the attack surface. For systems that must use Bluetooth, ensure kernel versions are updated to the fixed releases. Employ strict access controls and monitoring to limit local user privileges and detect suspicious activities related to socket operations or kernel timers. Utilize kernel hardening features such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and memory protection mechanisms to mitigate exploitation impact. Regularly audit and update embedded and IoT devices running Linux kernels, as these are often overlooked in patch management. Implement endpoint detection and response (EDR) solutions capable of identifying anomalous kernel-level behavior. Finally, educate users about the risks of local privilege misuse and enforce least privilege principles to minimize potential exploitation vectors.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland, Poland, Belgium
CVE-2022-49474: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout Connecting the same socket twice consecutively in sco_sock_connect() could lead to a race condition where two sco_conn objects are created but only one is associated with the socket. If the socket is closed before the SCO connection is established, the timer associated with the dangling sco_conn object won't be canceled. As the sock object is being freed, the use-after-free problem happens when the timer callback function sco_sock_timeout() accesses the socket. Here's the call trace: dump_stack+0x107/0x163 ? refcount_inc+0x1c/ print_address_description.constprop.0+0x1c/0x47e ? refcount_inc+0x1c/0x7b kasan_report+0x13a/0x173 ? refcount_inc+0x1c/0x7b check_memory_region+0x132/0x139 refcount_inc+0x1c/0x7b sco_sock_timeout+0xb2/0x1ba process_one_work+0x739/0xbd1 ? cancel_delayed_work+0x13f/0x13f ? __raw_spin_lock_init+0xf0/0xf0 ? to_kthread+0x59/0x85 worker_thread+0x593/0x70e kthread+0x346/0x35a ? drain_workqueue+0x31a/0x31a ? kthread_bind+0x4b/0x4b ret_from_fork+0x1f/0x30
AI-Powered Analysis
Technical Analysis
CVE-2022-49474 is a high-severity vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the SCO (Synchronous Connection-Oriented) socket handling code. The flaw arises from a race condition in the function sco_sock_connect(), where connecting the same socket twice consecutively can lead to the creation of two sco_conn objects, but only one is properly associated with the socket. If the socket is closed before the SCO connection is fully established, the timer linked to the dangling sco_conn object is not canceled. Consequently, when the socket object is freed, the timer callback function sco_sock_timeout() may access this freed memory, resulting in a use-after-free condition (CWE-416). This vulnerability can lead to memory corruption, potentially allowing an attacker to execute arbitrary code with kernel privileges or cause a denial of service (system crash). The vulnerability requires local privileges (low privilege user) to exploit and does not require user interaction. The CVSS v3.1 score is 7.8 (high), reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and requiring privileges but no user interaction. The issue affects multiple Linux kernel versions identified by specific commit hashes. The vulnerability has been publicly disclosed and patched, though no known exploits in the wild have been reported yet. The technical details include kernel stack traces indicating the use-after-free triggered in sco_sock_timeout(). This vulnerability is significant because Bluetooth is widely used in Linux systems, including desktops, laptops, embedded devices, and IoT, making the attack surface broad. Exploitation could allow privilege escalation or kernel-level code execution, impacting system security and stability.
Potential Impact
For European organizations, this vulnerability poses a substantial risk especially to environments relying on Linux systems with Bluetooth enabled. Enterprises using Linux-based laptops, desktops, servers, or embedded devices with Bluetooth connectivity could be targeted for privilege escalation attacks or denial of service, potentially disrupting business operations or leading to data breaches. Industrial control systems and IoT devices running vulnerable Linux kernels could also be compromised, affecting critical infrastructure sectors such as manufacturing, energy, and transportation prevalent in Europe. The confidentiality, integrity, and availability of systems could be severely impacted, with attackers gaining kernel-level access to sensitive systems. Given the widespread use of Linux in European governments, research institutions, and enterprises, the vulnerability could be leveraged for espionage or sabotage. The requirement for local privileges limits remote exploitation but insider threats or compromised user accounts could still trigger attacks. The absence of known exploits in the wild currently reduces immediate risk, but the high severity and ease of exploitation once local access is obtained necessitate urgent mitigation.
Mitigation Recommendations
European organizations should promptly apply the official Linux kernel patches that address CVE-2022-49474. Since the vulnerability is in the Bluetooth SCO socket handling, disabling Bluetooth on systems where it is not required can reduce the attack surface. For systems that must use Bluetooth, ensure kernel versions are updated to the fixed releases. Employ strict access controls and monitoring to limit local user privileges and detect suspicious activities related to socket operations or kernel timers. Utilize kernel hardening features such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and memory protection mechanisms to mitigate exploitation impact. Regularly audit and update embedded and IoT devices running Linux kernels, as these are often overlooked in patch management. Implement endpoint detection and response (EDR) solutions capable of identifying anomalous kernel-level behavior. Finally, educate users about the risks of local privilege misuse and enforce least privilege principles to minimize potential exploitation vectors.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.579Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd6b7
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/2/2025, 9:41:14 PM
Last updated: 8/17/2025, 12:23:29 AM
Views: 10
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.