CVE-2024-26890: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: fix out of bounds memory access The problem is detected by KASAN. btrtl driver uses private hci data to store 'struct btrealtek_data'. If btrtl driver is used with btusb, then memory for private hci data is allocated in btusb. But no private data is allocated after hci_dev, when btrtl is used with hci_h5. This commit adds memory allocation for hci_h5 case. ================================================================== BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl] Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76 Hardware name: Pine64 PinePhone (1.2) (DT) Workqueue: hci0 hci_power_on [bluetooth] Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_store8+0x9c/0xc0 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 53: kasan_save_stack+0x3c/0x68 kasan_save_track+0x20/0x40 kasan_save_alloc_info+0x68/0x78 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x1b4/0x3b0 hci_alloc_dev_priv+0x28/0xa58 [bluetooth] hci_uart_register_device+0x118/0x4f8 [hci_uart] h5_serdev_probe+0xf4/0x178 [hci_uart] serdev_drv_probe+0x54/0xa0 really_probe+0x254/0x588 __driver_probe_device+0xc4/0x210 driver_probe_device+0x64/0x160 __driver_attach_async_helper+0x88/0x158 async_run_entry_fn+0xd0/0x388 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x33c/0x960 queue_work_on+0x98/0xc0 hci_recv_frame+0xc8/0x1e8 [bluetooth] h5_complete_rx_pkt+0x2c8/0x800 [hci_uart] h5_rx_payload+0x98/0xb8 [hci_uart] h5_recv+0x158/0x3d8 [hci_uart] hci_uart_receive_buf+0xa0/0xe8 [hci_uart] ttyport_receive_buf+0xac/0x178 flush_to_ldisc+0x130/0x2c8 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Second to last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x788/0x960 queue_work_on+0x98/0xc0 __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth] __hci_cmd_sync+0x24/0x38 [bluetooth] btrtl_initialize+0x760/0x958 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 ==================================================================
AI Analysis
Technical Summary
CVE-2024-26890 is a medium severity vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the btrtl driver which handles Realtek Bluetooth chipsets. The issue arises due to an out-of-bounds memory access detected by the Kernel Address Sanitizer (KASAN). The root cause is improper memory allocation for private HCI (Host Controller Interface) data when the btrtl driver is used in conjunction with the hci_h5 transport layer. While the btusb transport correctly allocates memory for the private data structure 'struct btrealtek_data', the hci_h5 transport does not allocate this memory, leading to an out-of-bounds write during initialization. This flaw can cause a slab-out-of-bounds write, potentially leading to kernel memory corruption, instability, or crashes. The vulnerability was identified through a detailed kernel stack trace involving Bluetooth driver functions such as hci_dev_open_sync and hci_power_on. The affected Linux kernel versions include those around the commit hash 5b355944b19011011dd3fd4187444c5ff1d76ad2. The CVSS 3.1 score is 6.5 (medium), reflecting that the vulnerability can be exploited remotely without privileges or user interaction, impacting availability and confidentiality to a limited extent. No known exploits are reported in the wild yet. The underlying weakness corresponds to CWE-125 (Out-of-bounds Read). This vulnerability is significant because Bluetooth is widely used for device connectivity, and kernel-level bugs can compromise system stability and security. The fix involves proper memory allocation for the private HCI data when using the hci_h5 transport, preventing the out-of-bounds access.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily to systems running Linux kernels with affected versions and utilizing Bluetooth with Realtek chipsets via the btrtl driver and hci_h5 transport. Potential impacts include system crashes or denial of service due to kernel memory corruption, which can disrupt business operations, especially in environments relying on Bluetooth for critical device communication (e.g., IoT devices, industrial control systems, or mobile devices). Confidentiality impact is limited but possible if memory corruption leads to information leakage. Since exploitation does not require privileges or user interaction and can be triggered remotely via Bluetooth, attackers within wireless range could potentially exploit this flaw to destabilize systems or cause service interruptions. This is particularly relevant for organizations with mobile workforces, public-facing Linux servers with Bluetooth enabled, or embedded Linux devices in operational technology. However, the absence of known exploits reduces immediate risk, though proactive patching is advised to prevent future exploitation.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-26890 as soon as they become available from trusted sources or Linux distribution vendors. 2. For systems where immediate patching is not feasible, consider disabling Bluetooth functionality temporarily, especially on devices using Realtek chipsets with the btrtl driver and hci_h5 transport. 3. Implement strict Bluetooth device pairing policies and limit Bluetooth usage to trusted devices only, reducing exposure to potential attackers within wireless range. 4. Monitor kernel logs for KASAN reports or unusual Bluetooth driver errors that may indicate attempted exploitation or instability. 5. For embedded or IoT devices, coordinate with vendors to ensure firmware updates include this fix. 6. Employ network segmentation and endpoint security controls to limit the impact of compromised devices. 7. Educate users and administrators about the risks of Bluetooth vulnerabilities and encourage disabling Bluetooth when not in use.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-26890: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: fix out of bounds memory access The problem is detected by KASAN. btrtl driver uses private hci data to store 'struct btrealtek_data'. If btrtl driver is used with btusb, then memory for private hci data is allocated in btusb. But no private data is allocated after hci_dev, when btrtl is used with hci_h5. This commit adds memory allocation for hci_h5 case. ================================================================== BUG: KASAN: slab-out-of-bounds in btrtl_initialize+0x6cc/0x958 [btrtl] Write of size 8 at addr ffff00000f5a5748 by task kworker/u9:0/76 Hardware name: Pine64 PinePhone (1.2) (DT) Workqueue: hci0 hci_power_on [bluetooth] Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_store8+0x9c/0xc0 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 53: kasan_save_stack+0x3c/0x68 kasan_save_track+0x20/0x40 kasan_save_alloc_info+0x68/0x78 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x1b4/0x3b0 hci_alloc_dev_priv+0x28/0xa58 [bluetooth] hci_uart_register_device+0x118/0x4f8 [hci_uart] h5_serdev_probe+0xf4/0x178 [hci_uart] serdev_drv_probe+0x54/0xa0 really_probe+0x254/0x588 __driver_probe_device+0xc4/0x210 driver_probe_device+0x64/0x160 __driver_attach_async_helper+0x88/0x158 async_run_entry_fn+0xd0/0x388 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x33c/0x960 queue_work_on+0x98/0xc0 hci_recv_frame+0xc8/0x1e8 [bluetooth] h5_complete_rx_pkt+0x2c8/0x800 [hci_uart] h5_rx_payload+0x98/0xb8 [hci_uart] h5_recv+0x158/0x3d8 [hci_uart] hci_uart_receive_buf+0xa0/0xe8 [hci_uart] ttyport_receive_buf+0xac/0x178 flush_to_ldisc+0x130/0x2c8 process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Second to last potentially related work creation: kasan_save_stack+0x3c/0x68 __kasan_record_aux_stack+0xb0/0x150 kasan_record_aux_stack_noalloc+0x14/0x20 __queue_work+0x788/0x960 queue_work_on+0x98/0xc0 __hci_cmd_sync_sk+0x23c/0x7a0 [bluetooth] __hci_cmd_sync+0x24/0x38 [bluetooth] btrtl_initialize+0x760/0x958 [btrtl] h5_btrtl_setup+0xd0/0x2f8 [hci_uart] h5_setup+0x50/0x80 [hci_uart] hci_uart_setup+0xd4/0x260 [hci_uart] hci_dev_open_sync+0x1cc/0xf68 [bluetooth] hci_dev_do_open+0x34/0x90 [bluetooth] hci_power_on+0xc4/0x3c8 [bluetooth] process_one_work+0x328/0x6f0 worker_thread+0x410/0x778 kthread+0x168/0x178 ret_from_fork+0x10/0x20 ==================================================================
AI-Powered Analysis
Technical Analysis
CVE-2024-26890 is a medium severity vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the btrtl driver which handles Realtek Bluetooth chipsets. The issue arises due to an out-of-bounds memory access detected by the Kernel Address Sanitizer (KASAN). The root cause is improper memory allocation for private HCI (Host Controller Interface) data when the btrtl driver is used in conjunction with the hci_h5 transport layer. While the btusb transport correctly allocates memory for the private data structure 'struct btrealtek_data', the hci_h5 transport does not allocate this memory, leading to an out-of-bounds write during initialization. This flaw can cause a slab-out-of-bounds write, potentially leading to kernel memory corruption, instability, or crashes. The vulnerability was identified through a detailed kernel stack trace involving Bluetooth driver functions such as hci_dev_open_sync and hci_power_on. The affected Linux kernel versions include those around the commit hash 5b355944b19011011dd3fd4187444c5ff1d76ad2. The CVSS 3.1 score is 6.5 (medium), reflecting that the vulnerability can be exploited remotely without privileges or user interaction, impacting availability and confidentiality to a limited extent. No known exploits are reported in the wild yet. The underlying weakness corresponds to CWE-125 (Out-of-bounds Read). This vulnerability is significant because Bluetooth is widely used for device connectivity, and kernel-level bugs can compromise system stability and security. The fix involves proper memory allocation for the private HCI data when using the hci_h5 transport, preventing the out-of-bounds access.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily to systems running Linux kernels with affected versions and utilizing Bluetooth with Realtek chipsets via the btrtl driver and hci_h5 transport. Potential impacts include system crashes or denial of service due to kernel memory corruption, which can disrupt business operations, especially in environments relying on Bluetooth for critical device communication (e.g., IoT devices, industrial control systems, or mobile devices). Confidentiality impact is limited but possible if memory corruption leads to information leakage. Since exploitation does not require privileges or user interaction and can be triggered remotely via Bluetooth, attackers within wireless range could potentially exploit this flaw to destabilize systems or cause service interruptions. This is particularly relevant for organizations with mobile workforces, public-facing Linux servers with Bluetooth enabled, or embedded Linux devices in operational technology. However, the absence of known exploits reduces immediate risk, though proactive patching is advised to prevent future exploitation.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-26890 as soon as they become available from trusted sources or Linux distribution vendors. 2. For systems where immediate patching is not feasible, consider disabling Bluetooth functionality temporarily, especially on devices using Realtek chipsets with the btrtl driver and hci_h5 transport. 3. Implement strict Bluetooth device pairing policies and limit Bluetooth usage to trusted devices only, reducing exposure to potential attackers within wireless range. 4. Monitor kernel logs for KASAN reports or unusual Bluetooth driver errors that may indicate attempted exploitation or instability. 5. For embedded or IoT devices, coordinate with vendors to ensure firmware updates include this fix. 6. Employ network segmentation and endpoint security controls to limit the impact of compromised devices. 7. Educate users and administrators about the risks of Bluetooth vulnerabilities and encourage disabling Bluetooth when not in use.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.186Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe3e70
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 7:56:27 PM
Last updated: 8/12/2025, 6:20:25 PM
Views: 12
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.