CVE-2024-26886: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: af_bluetooth: Fix deadlock Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: <TASK> __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK>
AI Analysis
Technical Summary
CVE-2024-26886 is a medium-severity vulnerability identified in the Linux kernel's Bluetooth subsystem, specifically within the af_bluetooth module. The issue arises from a deadlock condition triggered by improper locking mechanisms during socket operations, particularly when invoking sock_lock on the .recvmsg function. This deadlock occurs because the code attempts to lock the socket using sock_sock, which can lead to a use-after-free (UAF) scenario. The fix involves replacing the problematic sock_sock lock with the sk_receive_queue.lock on the bt_sock_ioctl function to prevent the deadlock and associated UAF. The vulnerability manifests as a task (kworker thread) being blocked for an extended period (over 30 seconds), indicating a severe hang or stall in kernel processing related to Bluetooth socket communication. The vulnerability is tracked under CWE-416 (Use After Free), which can cause system instability or denial of service (DoS) conditions. The CVSS v3.1 score is 6.5, reflecting a medium severity with an attack vector of adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). No known exploits are reported in the wild as of the publication date (April 17, 2024). The affected versions are various Linux kernel commits prior to the fix, indicating that multiple kernel versions could be vulnerable if they include the affected Bluetooth stack code. The vulnerability primarily affects systems using Linux kernels with Bluetooth enabled and handling socket communications via the af_bluetooth module.
Potential Impact
For European organizations, the primary impact of CVE-2024-26886 is the potential for denial of service (DoS) on Linux-based systems that utilize Bluetooth functionality. This can cause critical system processes to hang or become unresponsive, particularly in environments where Bluetooth communication is integral, such as in IoT deployments, industrial control systems, or enterprise devices with Bluetooth peripherals. The deadlock can degrade system availability, potentially disrupting business operations, especially in sectors relying on real-time data or continuous connectivity. Although the vulnerability does not compromise confidentiality or integrity, the availability impact can lead to operational downtime, increased maintenance costs, and potential safety risks in critical infrastructure. Given the widespread use of Linux in servers, embedded devices, and workstations across Europe, organizations with Bluetooth-enabled Linux systems are at risk. The lack of required privileges or user interaction for exploitation means that an attacker with adjacent network access (e.g., Bluetooth range) could trigger the deadlock remotely, increasing the threat surface in environments with physical proximity to attackers. However, the absence of known exploits in the wild reduces immediate risk but does not eliminate the need for prompt mitigation.
Mitigation Recommendations
European organizations should implement the following specific mitigation strategies: 1) Apply the latest Linux kernel updates that include the patch for CVE-2024-26886 as soon as they become available from trusted Linux distributions or kernel maintainers. 2) For systems where immediate patching is not feasible, consider disabling Bluetooth functionality if it is not essential, thereby eliminating the attack vector. 3) Monitor kernel logs and system performance metrics for signs of task blocking or deadlocks related to Bluetooth socket operations to detect potential exploitation attempts early. 4) Restrict physical and network access to Bluetooth interfaces, employing Bluetooth device management policies to limit pairing and communication to trusted devices only. 5) Employ network segmentation and access controls to minimize exposure of Bluetooth-enabled Linux systems to untrusted or adjacent networks. 6) For critical infrastructure or industrial environments, conduct thorough testing of kernel updates in controlled environments to ensure stability before deployment. 7) Maintain an inventory of Linux systems with Bluetooth enabled to prioritize patching and mitigation efforts effectively.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-26886: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: af_bluetooth: Fix deadlock Attemting to do sock_lock on .recvmsg may cause a deadlock as shown bellow, so instead of using sock_sock this uses sk_receive_queue.lock on bt_sock_ioctl to avoid the UAF: INFO: task kworker/u9:1:121 blocked for more than 30 seconds. Not tainted 6.7.6-lemon #183 Workqueue: hci0 hci_rx_work Call Trace: <TASK> __schedule+0x37d/0xa00 schedule+0x32/0xe0 __lock_sock+0x68/0xa0 ? __pfx_autoremove_wake_function+0x10/0x10 lock_sock_nested+0x43/0x50 l2cap_sock_recv_cb+0x21/0xa0 l2cap_recv_frame+0x55b/0x30a0 ? psi_task_switch+0xeb/0x270 ? finish_task_switch.isra.0+0x93/0x2a0 hci_rx_work+0x33a/0x3f0 process_one_work+0x13a/0x2f0 worker_thread+0x2f0/0x410 ? __pfx_worker_thread+0x10/0x10 kthread+0xe0/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2024-26886 is a medium-severity vulnerability identified in the Linux kernel's Bluetooth subsystem, specifically within the af_bluetooth module. The issue arises from a deadlock condition triggered by improper locking mechanisms during socket operations, particularly when invoking sock_lock on the .recvmsg function. This deadlock occurs because the code attempts to lock the socket using sock_sock, which can lead to a use-after-free (UAF) scenario. The fix involves replacing the problematic sock_sock lock with the sk_receive_queue.lock on the bt_sock_ioctl function to prevent the deadlock and associated UAF. The vulnerability manifests as a task (kworker thread) being blocked for an extended period (over 30 seconds), indicating a severe hang or stall in kernel processing related to Bluetooth socket communication. The vulnerability is tracked under CWE-416 (Use After Free), which can cause system instability or denial of service (DoS) conditions. The CVSS v3.1 score is 6.5, reflecting a medium severity with an attack vector of adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). No known exploits are reported in the wild as of the publication date (April 17, 2024). The affected versions are various Linux kernel commits prior to the fix, indicating that multiple kernel versions could be vulnerable if they include the affected Bluetooth stack code. The vulnerability primarily affects systems using Linux kernels with Bluetooth enabled and handling socket communications via the af_bluetooth module.
Potential Impact
For European organizations, the primary impact of CVE-2024-26886 is the potential for denial of service (DoS) on Linux-based systems that utilize Bluetooth functionality. This can cause critical system processes to hang or become unresponsive, particularly in environments where Bluetooth communication is integral, such as in IoT deployments, industrial control systems, or enterprise devices with Bluetooth peripherals. The deadlock can degrade system availability, potentially disrupting business operations, especially in sectors relying on real-time data or continuous connectivity. Although the vulnerability does not compromise confidentiality or integrity, the availability impact can lead to operational downtime, increased maintenance costs, and potential safety risks in critical infrastructure. Given the widespread use of Linux in servers, embedded devices, and workstations across Europe, organizations with Bluetooth-enabled Linux systems are at risk. The lack of required privileges or user interaction for exploitation means that an attacker with adjacent network access (e.g., Bluetooth range) could trigger the deadlock remotely, increasing the threat surface in environments with physical proximity to attackers. However, the absence of known exploits in the wild reduces immediate risk but does not eliminate the need for prompt mitigation.
Mitigation Recommendations
European organizations should implement the following specific mitigation strategies: 1) Apply the latest Linux kernel updates that include the patch for CVE-2024-26886 as soon as they become available from trusted Linux distributions or kernel maintainers. 2) For systems where immediate patching is not feasible, consider disabling Bluetooth functionality if it is not essential, thereby eliminating the attack vector. 3) Monitor kernel logs and system performance metrics for signs of task blocking or deadlocks related to Bluetooth socket operations to detect potential exploitation attempts early. 4) Restrict physical and network access to Bluetooth interfaces, employing Bluetooth device management policies to limit pairing and communication to trusted devices only. 5) Employ network segmentation and access controls to minimize exposure of Bluetooth-enabled Linux systems to untrusted or adjacent networks. 6) For critical infrastructure or industrial environments, conduct thorough testing of kernel updates in controlled environments to ensure stability before deployment. 7) Maintain an inventory of Linux systems with Bluetooth enabled to prioritize patching and mitigation efforts effectively.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.185Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddb21
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 2:41:20 AM
Last updated: 8/4/2025, 12:25:45 AM
Views: 11
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.