CVE-2022-49909: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() When l2cap_recv_frame() is invoked to receive data, and the cid is L2CAP_CID_A2MP, if the channel does not exist, it will create a channel. However, after a channel is created, the hold operation of the channel is not performed. In this case, the value of channel reference counting is 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del() invokes the close hook function of A2MP to release the channel. Then l2cap_chan_unlock(chan) will trigger UAF issue. The process is as follows: Receive data: l2cap_data_channel() a2mp_channel_create() --->channel ref is 2 l2cap_chan_put() --->channel ref is 1 Triger event: hci_error_reset() hci_dev_do_close() ... l2cap_disconn_cfm() l2cap_conn_del() l2cap_chan_hold() --->channel ref is 2 l2cap_chan_del() --->channel ref is 1 a2mp_chan_close_cb() --->channel ref is 0, release channel l2cap_chan_unlock() --->UAF of channel The detailed Call Trace is as follows: BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0 Read of size 8 at addr ffff8880160664b8 by task kworker/u11:1/7593 Workqueue: hci0 hci_error_reset Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 print_report.cold+0x2ba/0x719 kasan_report+0xb1/0x1e0 kasan_check_range+0x140/0x190 __mutex_unlock_slowpath+0xa6/0x5e0 l2cap_conn_del+0x404/0x7b0 l2cap_disconn_cfm+0x8c/0xc0 hci_conn_hash_flush+0x11f/0x260 hci_dev_close_sync+0x5f5/0x11f0 hci_dev_do_close+0x2d/0x70 hci_error_reset+0x9e/0x140 process_one_work+0x98a/0x1620 worker_thread+0x665/0x1080 kthread+0x2e4/0x3a0 ret_from_fork+0x1f/0x30 </TASK> Allocated by task 7593: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0xa9/0xd0 l2cap_chan_create+0x40/0x930 amp_mgr_create+0x96/0x990 a2mp_channel_create+0x7d/0x150 l2cap_recv_frame+0x51b8/0x9a70 l2cap_recv_acldata+0xaa3/0xc00 hci_rx_work+0x702/0x1220 process_one_work+0x98a/0x1620 worker_thread+0x665/0x1080 kthread+0x2e4/0x3a0 ret_from_fork+0x1f/0x30 Freed by task 7593: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 ____kasan_slab_free+0x167/0x1c0 slab_free_freelist_hook+0x89/0x1c0 kfree+0xe2/0x580 l2cap_chan_put+0x22a/0x2d0 l2cap_conn_del+0x3fc/0x7b0 l2cap_disconn_cfm+0x8c/0xc0 hci_conn_hash_flush+0x11f/0x260 hci_dev_close_sync+0x5f5/0x11f0 hci_dev_do_close+0x2d/0x70 hci_error_reset+0x9e/0x140 process_one_work+0x98a/0x1620 worker_thread+0x665/0x1080 kthread+0x2e4/0x3a0 ret_from_fork+0x1f/0x30 Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0xbe/0xd0 call_rcu+0x99/0x740 netlink_release+0xe6a/0x1cf0 __sock_release+0xcd/0x280 sock_close+0x18/0x20 __fput+0x27c/0xa90 task_work_run+0xdd/0x1a0 exit_to_user_mode_prepare+0x23c/0x250 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x42/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Second to last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0xbe/0xd0 call_rcu+0x99/0x740 netlink_release+0xe6a/0x1cf0 __sock_release+0xcd/0x280 sock_close+0x18/0x20 __fput+0x27c/0xa90 task_work_run+0xdd/0x1a0 exit_to_user_mode_prepare+0x23c/0x250 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x42/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
AI Analysis
Technical Summary
CVE-2022-49909 is a use-after-free (UAF) vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the L2CAP (Logical Link Control and Adaptation Protocol) layer. The flaw arises in the handling of the A2MP (Alternate MAC/PHY Manager Protocol) channel creation and deletion processes. When the kernel receives data via l2cap_recv_frame() with a channel identifier (cid) of L2CAP_CID_A2MP, it may create a new channel if one does not exist. However, the reference counting for this channel is mishandled: after creation, the channel's hold operation is not properly performed, leaving the reference count at 1 instead of a safer higher value. Subsequently, when an error reset event (hci_error_reset()) occurs, the channel is closed and freed prematurely. The l2cap_conn_del() function calls the close hook for A2MP, which releases the channel and reduces the reference count to zero, freeing the memory. Immediately after, l2cap_chan_unlock() attempts to unlock the channel, which has already been freed, causing a use-after-free condition. This vulnerability is detected by Kernel Address Sanitizer (KASAN) as an invalid memory access during mutex unlock operations. The issue can lead to kernel crashes or potential arbitrary code execution in kernel space if exploited. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes and was publicly disclosed on May 1, 2025. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk to systems running vulnerable Linux kernel versions with Bluetooth enabled, especially those using Bluetooth for critical communications or device management. Exploitation could lead to kernel crashes (denial of service), potentially disrupting services and operations. More critically, a successful exploit might allow an attacker to execute arbitrary code with kernel privileges, compromising system confidentiality, integrity, and availability. This is particularly concerning for sectors relying on Linux-based embedded systems, IoT devices, or industrial control systems that utilize Bluetooth connectivity. The vulnerability could be leveraged in targeted attacks against enterprise infrastructure, telecommunications equipment, or critical infrastructure components. Given the widespread use of Linux in European data centers, government agencies, and enterprises, the impact could be broad if patches are not applied promptly.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since no direct patch links are provided, organizations should monitor official Linux kernel repositories and distributions for updates addressing CVE-2022-49909. In environments where immediate patching is not feasible, disabling Bluetooth functionality or restricting Bluetooth usage to trusted devices can reduce attack surface. Additionally, implementing kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues early. Network segmentation and strict access controls around Bluetooth-enabled devices can limit potential exploitation. Organizations should also audit and monitor kernel logs for unusual Bluetooth-related errors or crashes that might indicate exploitation attempts. Finally, maintaining up-to-date intrusion detection systems with signatures for kernel-level anomalies can aid in early detection.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2022-49909: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() When l2cap_recv_frame() is invoked to receive data, and the cid is L2CAP_CID_A2MP, if the channel does not exist, it will create a channel. However, after a channel is created, the hold operation of the channel is not performed. In this case, the value of channel reference counting is 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del() invokes the close hook function of A2MP to release the channel. Then l2cap_chan_unlock(chan) will trigger UAF issue. The process is as follows: Receive data: l2cap_data_channel() a2mp_channel_create() --->channel ref is 2 l2cap_chan_put() --->channel ref is 1 Triger event: hci_error_reset() hci_dev_do_close() ... l2cap_disconn_cfm() l2cap_conn_del() l2cap_chan_hold() --->channel ref is 2 l2cap_chan_del() --->channel ref is 1 a2mp_chan_close_cb() --->channel ref is 0, release channel l2cap_chan_unlock() --->UAF of channel The detailed Call Trace is as follows: BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0 Read of size 8 at addr ffff8880160664b8 by task kworker/u11:1/7593 Workqueue: hci0 hci_error_reset Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 print_report.cold+0x2ba/0x719 kasan_report+0xb1/0x1e0 kasan_check_range+0x140/0x190 __mutex_unlock_slowpath+0xa6/0x5e0 l2cap_conn_del+0x404/0x7b0 l2cap_disconn_cfm+0x8c/0xc0 hci_conn_hash_flush+0x11f/0x260 hci_dev_close_sync+0x5f5/0x11f0 hci_dev_do_close+0x2d/0x70 hci_error_reset+0x9e/0x140 process_one_work+0x98a/0x1620 worker_thread+0x665/0x1080 kthread+0x2e4/0x3a0 ret_from_fork+0x1f/0x30 </TASK> Allocated by task 7593: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0xa9/0xd0 l2cap_chan_create+0x40/0x930 amp_mgr_create+0x96/0x990 a2mp_channel_create+0x7d/0x150 l2cap_recv_frame+0x51b8/0x9a70 l2cap_recv_acldata+0xaa3/0xc00 hci_rx_work+0x702/0x1220 process_one_work+0x98a/0x1620 worker_thread+0x665/0x1080 kthread+0x2e4/0x3a0 ret_from_fork+0x1f/0x30 Freed by task 7593: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 ____kasan_slab_free+0x167/0x1c0 slab_free_freelist_hook+0x89/0x1c0 kfree+0xe2/0x580 l2cap_chan_put+0x22a/0x2d0 l2cap_conn_del+0x3fc/0x7b0 l2cap_disconn_cfm+0x8c/0xc0 hci_conn_hash_flush+0x11f/0x260 hci_dev_close_sync+0x5f5/0x11f0 hci_dev_do_close+0x2d/0x70 hci_error_reset+0x9e/0x140 process_one_work+0x98a/0x1620 worker_thread+0x665/0x1080 kthread+0x2e4/0x3a0 ret_from_fork+0x1f/0x30 Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0xbe/0xd0 call_rcu+0x99/0x740 netlink_release+0xe6a/0x1cf0 __sock_release+0xcd/0x280 sock_close+0x18/0x20 __fput+0x27c/0xa90 task_work_run+0xdd/0x1a0 exit_to_user_mode_prepare+0x23c/0x250 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x42/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Second to last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0xbe/0xd0 call_rcu+0x99/0x740 netlink_release+0xe6a/0x1cf0 __sock_release+0xcd/0x280 sock_close+0x18/0x20 __fput+0x27c/0xa90 task_work_run+0xdd/0x1a0 exit_to_user_mode_prepare+0x23c/0x250 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x42/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
AI-Powered Analysis
Technical Analysis
CVE-2022-49909 is a use-after-free (UAF) vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the L2CAP (Logical Link Control and Adaptation Protocol) layer. The flaw arises in the handling of the A2MP (Alternate MAC/PHY Manager Protocol) channel creation and deletion processes. When the kernel receives data via l2cap_recv_frame() with a channel identifier (cid) of L2CAP_CID_A2MP, it may create a new channel if one does not exist. However, the reference counting for this channel is mishandled: after creation, the channel's hold operation is not properly performed, leaving the reference count at 1 instead of a safer higher value. Subsequently, when an error reset event (hci_error_reset()) occurs, the channel is closed and freed prematurely. The l2cap_conn_del() function calls the close hook for A2MP, which releases the channel and reduces the reference count to zero, freeing the memory. Immediately after, l2cap_chan_unlock() attempts to unlock the channel, which has already been freed, causing a use-after-free condition. This vulnerability is detected by Kernel Address Sanitizer (KASAN) as an invalid memory access during mutex unlock operations. The issue can lead to kernel crashes or potential arbitrary code execution in kernel space if exploited. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes and was publicly disclosed on May 1, 2025. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk to systems running vulnerable Linux kernel versions with Bluetooth enabled, especially those using Bluetooth for critical communications or device management. Exploitation could lead to kernel crashes (denial of service), potentially disrupting services and operations. More critically, a successful exploit might allow an attacker to execute arbitrary code with kernel privileges, compromising system confidentiality, integrity, and availability. This is particularly concerning for sectors relying on Linux-based embedded systems, IoT devices, or industrial control systems that utilize Bluetooth connectivity. The vulnerability could be leveraged in targeted attacks against enterprise infrastructure, telecommunications equipment, or critical infrastructure components. Given the widespread use of Linux in European data centers, government agencies, and enterprises, the impact could be broad if patches are not applied promptly.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to versions where this vulnerability is patched. Since no direct patch links are provided, organizations should monitor official Linux kernel repositories and distributions for updates addressing CVE-2022-49909. In environments where immediate patching is not feasible, disabling Bluetooth functionality or restricting Bluetooth usage to trusted devices can reduce attack surface. Additionally, implementing kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) in testing environments can help detect similar issues early. Network segmentation and strict access controls around Bluetooth-enabled devices can limit potential exploitation. Organizations should also audit and monitor kernel logs for unusual Bluetooth-related errors or crashes that might indicate exploitation attempts. Finally, maintaining up-to-date intrusion detection systems with signatures for kernel-level anomalies can aid in early detection.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-01T14:05:17.247Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdd781
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 1:09:59 AM
Last updated: 7/31/2025, 7:29:38 PM
Views: 11
Related Threats
CVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumCVE-2025-8482: CWE-862 Missing Authorization in 10up Simple Local Avatars
MediumCVE-2025-8418: CWE-862 Missing Authorization in bplugins B Slider- Gutenberg Slider Block for WP
HighCVE-2025-47444: CWE-201 Insertion of Sensitive Information Into Sent Data in Liquid Web GiveWP
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.