CVE-2022-49910: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu Fix the race condition between the following two flows that run in parallel: 1. l2cap_reassemble_sdu -> chan->ops->recv (l2cap_sock_recv_cb) -> __sock_queue_rcv_skb. 2. bt_sock_recvmsg -> skb_recv_datagram, skb_free_datagram. An SKB can be queued by the first flow and immediately dequeued and freed by the second flow, therefore the callers of l2cap_reassemble_sdu can't use the SKB after that function returns. However, some places continue accessing struct l2cap_ctrl that resides in the SKB's CB for a short time after l2cap_reassemble_sdu returns, leading to a use-after-free condition (the stack trace is below, line numbers for kernel 5.19.8). Fix it by keeping a local copy of struct l2cap_ctrl. BUG: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth Read of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169 Workqueue: hci0 hci_rx_work [bluetooth] Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4)) print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429) ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth ret_from_fork (arch/x86/entry/entry_64.S:306) </TASK> Allocated by task 43169: kasan_save_stack (mm/kasan/common.c:39) __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293) __alloc_skb (net/core/skbuff.c:414) l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth process_one_work (kernel/workqueue.c:2289) worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437) kthread (kernel/kthread.c:376) ret_from_fork (arch/x86/entry/entry_64.S:306) Freed by task 27920: kasan_save_stack (mm/kasan/common.c:39) kasan_set_track (mm/kasan/common.c:45) kasan_set_free_info (mm/kasan/generic.c:372) ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328) slab_free_freelist_hook (mm/slub.c:1780) kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553) skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323) bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth sock_read_iter (net/socket.c:1087) new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401) vfs_read (fs/read_write.c:482) ksys_read (fs/read_write.c:620) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
AI Analysis
Technical Summary
CVE-2022-49910 is a use-after-free vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the L2CAP (Logical Link Control and Adaptation Protocol) implementation. The flaw arises due to a race condition between two parallel execution flows: one that queues a socket buffer (SKB) during the reassembly of L2CAP SDUs (Service Data Units) and another that dequeues and frees the SKB almost immediately. The vulnerable code continues to access the l2cap_ctrl structure residing in the SKB's control buffer after the SKB has been freed, leading to a use-after-free condition. This can cause kernel memory corruption, potentially leading to system crashes or arbitrary code execution in kernel space. The vulnerability was identified in Linux kernel version 5.19.8 and involves complex interactions in the Bluetooth stack's packet reception and processing routines. The fix involves making a local copy of the l2cap_ctrl structure to avoid accessing freed memory. The vulnerability does not currently have any known exploits in the wild and lacks an assigned CVSS score. The technical details include kernel stack traces and memory allocation/freeing call paths, confirming the use-after-free condition triggered by concurrent Bluetooth packet processing.
Potential Impact
For European organizations, the impact of CVE-2022-49910 can be significant, especially for those relying on Linux-based systems with Bluetooth capabilities. The vulnerability could be exploited to cause denial of service via kernel crashes or potentially escalate privileges if an attacker can execute arbitrary code in kernel space. This is particularly concerning for enterprises using Linux servers, embedded devices, or IoT infrastructure with Bluetooth enabled. The confidentiality, integrity, and availability of affected systems could be compromised. Given the kernel-level nature of the flaw, exploitation could lead to full system compromise. While exploitation requires triggering Bluetooth packet processing, no user interaction is explicitly required if an attacker can send crafted Bluetooth packets. This increases the risk in environments where Bluetooth is enabled and accessible. The lack of known exploits suggests limited current threat but does not preclude future weaponization. Organizations in sectors such as manufacturing, healthcare, telecommunications, and critical infrastructure that use Linux-based Bluetooth-enabled devices are at heightened risk.
Mitigation Recommendations
1. Immediately apply Linux kernel updates that include the patch for CVE-2022-49910 once available from trusted Linux distributions or vendors. 2. Temporarily disable Bluetooth functionality on critical Linux systems where it is not essential to reduce the attack surface. 3. Implement network segmentation and access controls to restrict Bluetooth device connectivity, especially in sensitive environments. 4. Monitor kernel logs and system behavior for signs of crashes or anomalous Bluetooth activity that could indicate exploitation attempts. 5. For embedded and IoT devices running vulnerable Linux kernels, coordinate with device manufacturers for firmware updates or consider device replacement if patches are unavailable. 6. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 7. Educate system administrators about the risks of Bluetooth vulnerabilities and encourage disabling Bluetooth on servers and critical infrastructure unless explicitly required.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2022-49910: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu Fix the race condition between the following two flows that run in parallel: 1. l2cap_reassemble_sdu -> chan->ops->recv (l2cap_sock_recv_cb) -> __sock_queue_rcv_skb. 2. bt_sock_recvmsg -> skb_recv_datagram, skb_free_datagram. An SKB can be queued by the first flow and immediately dequeued and freed by the second flow, therefore the callers of l2cap_reassemble_sdu can't use the SKB after that function returns. However, some places continue accessing struct l2cap_ctrl that resides in the SKB's CB for a short time after l2cap_reassemble_sdu returns, leading to a use-after-free condition (the stack trace is below, line numbers for kernel 5.19.8). Fix it by keeping a local copy of struct l2cap_ctrl. BUG: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth Read of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169 Workqueue: hci0 hci_rx_work [bluetooth] Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4)) print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429) ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth ret_from_fork (arch/x86/entry/entry_64.S:306) </TASK> Allocated by task 43169: kasan_save_stack (mm/kasan/common.c:39) __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293) __alloc_skb (net/core/skbuff.c:414) l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth process_one_work (kernel/workqueue.c:2289) worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437) kthread (kernel/kthread.c:376) ret_from_fork (arch/x86/entry/entry_64.S:306) Freed by task 27920: kasan_save_stack (mm/kasan/common.c:39) kasan_set_track (mm/kasan/common.c:45) kasan_set_free_info (mm/kasan/generic.c:372) ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328) slab_free_freelist_hook (mm/slub.c:1780) kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553) skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323) bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth sock_read_iter (net/socket.c:1087) new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401) vfs_read (fs/read_write.c:482) ksys_read (fs/read_write.c:620) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
AI-Powered Analysis
Technical Analysis
CVE-2022-49910 is a use-after-free vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the L2CAP (Logical Link Control and Adaptation Protocol) implementation. The flaw arises due to a race condition between two parallel execution flows: one that queues a socket buffer (SKB) during the reassembly of L2CAP SDUs (Service Data Units) and another that dequeues and frees the SKB almost immediately. The vulnerable code continues to access the l2cap_ctrl structure residing in the SKB's control buffer after the SKB has been freed, leading to a use-after-free condition. This can cause kernel memory corruption, potentially leading to system crashes or arbitrary code execution in kernel space. The vulnerability was identified in Linux kernel version 5.19.8 and involves complex interactions in the Bluetooth stack's packet reception and processing routines. The fix involves making a local copy of the l2cap_ctrl structure to avoid accessing freed memory. The vulnerability does not currently have any known exploits in the wild and lacks an assigned CVSS score. The technical details include kernel stack traces and memory allocation/freeing call paths, confirming the use-after-free condition triggered by concurrent Bluetooth packet processing.
Potential Impact
For European organizations, the impact of CVE-2022-49910 can be significant, especially for those relying on Linux-based systems with Bluetooth capabilities. The vulnerability could be exploited to cause denial of service via kernel crashes or potentially escalate privileges if an attacker can execute arbitrary code in kernel space. This is particularly concerning for enterprises using Linux servers, embedded devices, or IoT infrastructure with Bluetooth enabled. The confidentiality, integrity, and availability of affected systems could be compromised. Given the kernel-level nature of the flaw, exploitation could lead to full system compromise. While exploitation requires triggering Bluetooth packet processing, no user interaction is explicitly required if an attacker can send crafted Bluetooth packets. This increases the risk in environments where Bluetooth is enabled and accessible. The lack of known exploits suggests limited current threat but does not preclude future weaponization. Organizations in sectors such as manufacturing, healthcare, telecommunications, and critical infrastructure that use Linux-based Bluetooth-enabled devices are at heightened risk.
Mitigation Recommendations
1. Immediately apply Linux kernel updates that include the patch for CVE-2022-49910 once available from trusted Linux distributions or vendors. 2. Temporarily disable Bluetooth functionality on critical Linux systems where it is not essential to reduce the attack surface. 3. Implement network segmentation and access controls to restrict Bluetooth device connectivity, especially in sensitive environments. 4. Monitor kernel logs and system behavior for signs of crashes or anomalous Bluetooth activity that could indicate exploitation attempts. 5. For embedded and IoT devices running vulnerable Linux kernels, coordinate with device manufacturers for firmware updates or consider device replacement if patches are unavailable. 6. Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory corruption issues proactively. 7. Educate system administrators about the risks of Bluetooth vulnerabilities and encourage disabling Bluetooth on servers and critical infrastructure unless explicitly required.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-05-01T14:05:17.247Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe401e
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 8:39:41 PM
Last updated: 8/11/2025, 5:12:59 AM
Views: 11
Related Threats
CVE-2025-55107: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Esri Portal for ArcGIS Enterprise Sites
MediumCVE-2025-55106: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Esri Portal for ArcGIS Enterprise Sites
MediumCVE-2025-55105: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Esri Portal for ArcGIS Enterprise Experience Sites
MediumCVE-2025-55104: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Esri Portal for ArcGIS Enterprise Sites
MediumCVE-2025-55103: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Esri Portal for ArcGIS Enterprise Sites
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.