CVE-2024-27398: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout When the sco connection is established and then, the sco socket is releasing, timeout_work will be scheduled to judge whether the sco disconnection is timeout. The sock will be deallocated later, but it is dereferenced again in sco_sock_timeout. As a result, the use-after-free bugs will happen. The root cause is shown below: Cleanup Thread | Worker Thread sco_sock_release | sco_sock_close | __sco_sock_close | sco_sock_set_timer | schedule_delayed_work | sco_sock_kill | (wait a time) sock_put(sk) //FREE | sco_sock_timeout | sock_hold(sk) //USE The KASAN report triggered by POC is shown below: [ 95.890016] ================================================================== [ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0 [ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7 ... [ 95.890755] Workqueue: events sco_sock_timeout [ 95.890755] Call Trace: [ 95.890755] <TASK> [ 95.890755] dump_stack_lvl+0x45/0x110 [ 95.890755] print_address_description+0x78/0x390 [ 95.890755] print_report+0x11b/0x250 [ 95.890755] ? __virt_addr_valid+0xbe/0xf0 [ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_report+0x139/0x170 [ 95.890755] ? update_load_avg+0xe5/0x9f0 [ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_check_range+0x2c3/0x2e0 [ 95.890755] sco_sock_timeout+0x5e/0x1c0 [ 95.890755] process_one_work+0x561/0xc50 [ 95.890755] worker_thread+0xab2/0x13c0 [ 95.890755] ? pr_cont_work+0x490/0x490 [ 95.890755] kthread+0x279/0x300 [ 95.890755] ? pr_cont_work+0x490/0x490 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork+0x34/0x60 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork_asm+0x11/0x20 [ 95.890755] </TASK> [ 95.890755] [ 95.890755] Allocated by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [ 95.890755] __kasan_kmalloc+0x86/0x90 [ 95.890755] __kmalloc+0x17f/0x360 [ 95.890755] sk_prot_alloc+0xe1/0x1a0 [ 95.890755] sk_alloc+0x31/0x4e0 [ 95.890755] bt_sock_alloc+0x2b/0x2a0 [ 95.890755] sco_sock_create+0xad/0x320 [ 95.890755] bt_sock_create+0x145/0x320 [ 95.890755] __sock_create+0x2e1/0x650 [ 95.890755] __sys_socket+0xd0/0x280 [ 95.890755] __x64_sys_socket+0x75/0x80 [ 95.890755] do_syscall_64+0xc4/0x1b0 [ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] Freed by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [ 95.890755] kasan_save_free_info+0x40/0x50 [ 95.890755] poison_slab_object+0x118/0x180 [ 95.890755] __kasan_slab_free+0x12/0x30 [ 95.890755] kfree+0xb2/0x240 [ 95.890755] __sk_destruct+0x317/0x410 [ 95.890755] sco_sock_release+0x232/0x280 [ 95.890755] sock_close+0xb2/0x210 [ 95.890755] __fput+0x37f/0x770 [ 95.890755] task_work_run+0x1ae/0x210 [ 95.890755] get_signal+0xe17/0xf70 [ 95.890755] arch_do_signal_or_restart+0x3f/0x520 [ 95.890755] syscall_exit_to_user_mode+0x55/0x120 [ 95.890755] do_syscall_64+0xd1/0x1b0 [ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] The buggy address belongs to the object at ffff88800c388000 [ 95.890755] which belongs to the cache kmalloc-1k of size 1024 [ 95.890755] The buggy address is located 128 bytes inside of [ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400) [ 95.890755] [ 95.890755] The buggy address belongs to the physical page: [ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388 [ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 95.890755] ano ---truncated---
AI Analysis
Technical Summary
CVE-2024-27398 is a use-after-free vulnerability found in the Linux kernel's Bluetooth subsystem, specifically related to the handling of SCO (Synchronous Connection-Oriented) sockets. The flaw arises during the lifecycle of an SCO socket connection, where after the socket is released and scheduled for timeout evaluation, the kernel erroneously dereferences a freed socket object in the function sco_sock_timeout. This occurs because the socket is deallocated in one thread (cleanup thread) while a delayed workqueue task (worker thread) still holds a reference and attempts to access it, leading to a classic use-after-free condition. The vulnerability is triggered when the SCO connection is established and then the socket is closed; the timeout_work scheduled to check for disconnection timeout accesses the socket after it has been freed. The kernel's KASAN (Kernel Address Sanitizer) reports confirm the issue with slab-use-after-free errors, indicating memory corruption risks. Exploiting this vulnerability could allow an attacker with the ability to manipulate Bluetooth SCO connections to cause kernel memory corruption, potentially leading to denial of service (system crashes) or privilege escalation if exploited with crafted inputs. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes, and no CVSS score has been assigned yet. There are no known exploits in the wild at the time of publication. The root cause is a race condition between socket release and delayed timeout work execution, which has been fixed in recent kernel updates.
Potential Impact
For European organizations, the impact of CVE-2024-27398 can be significant, especially for those relying on Linux-based systems with Bluetooth capabilities, such as embedded devices, IoT infrastructure, telecommunications equipment, and enterprise servers running Linux kernels with Bluetooth support. Exploitation could lead to kernel crashes causing service disruptions or enable attackers to escalate privileges, compromising system integrity and confidentiality. Organizations in sectors like manufacturing, healthcare, transportation, and critical infrastructure that use Linux-based Bluetooth-enabled devices are at risk. The vulnerability could be leveraged in targeted attacks or lateral movement within networks if attackers gain Bluetooth proximity access. Given the widespread use of Linux in European data centers, cloud providers, and industrial control systems, unpatched systems could face operational downtime and potential data breaches. However, exploitation requires Bluetooth SCO connection manipulation, which somewhat limits remote attack vectors but does not eliminate risk in environments with accessible Bluetooth interfaces.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to the latest patched versions that address CVE-2024-27398. Specifically, kernel versions incorporating the fix for the SCO socket use-after-free should be deployed promptly. For devices where immediate patching is not feasible, disabling Bluetooth or restricting SCO connections can reduce exposure. Network segmentation and limiting Bluetooth access to trusted devices can mitigate attack surface. Monitoring kernel logs for unusual Bluetooth socket activity and enabling kernel debugging tools like KASAN in test environments can help detect exploitation attempts. Additionally, organizations should audit their Linux-based Bluetooth-enabled devices inventory to identify vulnerable systems. For embedded and IoT devices, coordinate with vendors for firmware updates. Implement strict access controls and physical security to prevent unauthorized Bluetooth proximity attacks. Finally, incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland, Poland, Belgium
CVE-2024-27398: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout When the sco connection is established and then, the sco socket is releasing, timeout_work will be scheduled to judge whether the sco disconnection is timeout. The sock will be deallocated later, but it is dereferenced again in sco_sock_timeout. As a result, the use-after-free bugs will happen. The root cause is shown below: Cleanup Thread | Worker Thread sco_sock_release | sco_sock_close | __sco_sock_close | sco_sock_set_timer | schedule_delayed_work | sco_sock_kill | (wait a time) sock_put(sk) //FREE | sco_sock_timeout | sock_hold(sk) //USE The KASAN report triggered by POC is shown below: [ 95.890016] ================================================================== [ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0 [ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7 ... [ 95.890755] Workqueue: events sco_sock_timeout [ 95.890755] Call Trace: [ 95.890755] <TASK> [ 95.890755] dump_stack_lvl+0x45/0x110 [ 95.890755] print_address_description+0x78/0x390 [ 95.890755] print_report+0x11b/0x250 [ 95.890755] ? __virt_addr_valid+0xbe/0xf0 [ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_report+0x139/0x170 [ 95.890755] ? update_load_avg+0xe5/0x9f0 [ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_check_range+0x2c3/0x2e0 [ 95.890755] sco_sock_timeout+0x5e/0x1c0 [ 95.890755] process_one_work+0x561/0xc50 [ 95.890755] worker_thread+0xab2/0x13c0 [ 95.890755] ? pr_cont_work+0x490/0x490 [ 95.890755] kthread+0x279/0x300 [ 95.890755] ? pr_cont_work+0x490/0x490 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork+0x34/0x60 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork_asm+0x11/0x20 [ 95.890755] </TASK> [ 95.890755] [ 95.890755] Allocated by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [ 95.890755] __kasan_kmalloc+0x86/0x90 [ 95.890755] __kmalloc+0x17f/0x360 [ 95.890755] sk_prot_alloc+0xe1/0x1a0 [ 95.890755] sk_alloc+0x31/0x4e0 [ 95.890755] bt_sock_alloc+0x2b/0x2a0 [ 95.890755] sco_sock_create+0xad/0x320 [ 95.890755] bt_sock_create+0x145/0x320 [ 95.890755] __sock_create+0x2e1/0x650 [ 95.890755] __sys_socket+0xd0/0x280 [ 95.890755] __x64_sys_socket+0x75/0x80 [ 95.890755] do_syscall_64+0xc4/0x1b0 [ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] Freed by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [ 95.890755] kasan_save_free_info+0x40/0x50 [ 95.890755] poison_slab_object+0x118/0x180 [ 95.890755] __kasan_slab_free+0x12/0x30 [ 95.890755] kfree+0xb2/0x240 [ 95.890755] __sk_destruct+0x317/0x410 [ 95.890755] sco_sock_release+0x232/0x280 [ 95.890755] sock_close+0xb2/0x210 [ 95.890755] __fput+0x37f/0x770 [ 95.890755] task_work_run+0x1ae/0x210 [ 95.890755] get_signal+0xe17/0xf70 [ 95.890755] arch_do_signal_or_restart+0x3f/0x520 [ 95.890755] syscall_exit_to_user_mode+0x55/0x120 [ 95.890755] do_syscall_64+0xd1/0x1b0 [ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] The buggy address belongs to the object at ffff88800c388000 [ 95.890755] which belongs to the cache kmalloc-1k of size 1024 [ 95.890755] The buggy address is located 128 bytes inside of [ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400) [ 95.890755] [ 95.890755] The buggy address belongs to the physical page: [ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388 [ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 95.890755] ano ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-27398 is a use-after-free vulnerability found in the Linux kernel's Bluetooth subsystem, specifically related to the handling of SCO (Synchronous Connection-Oriented) sockets. The flaw arises during the lifecycle of an SCO socket connection, where after the socket is released and scheduled for timeout evaluation, the kernel erroneously dereferences a freed socket object in the function sco_sock_timeout. This occurs because the socket is deallocated in one thread (cleanup thread) while a delayed workqueue task (worker thread) still holds a reference and attempts to access it, leading to a classic use-after-free condition. The vulnerability is triggered when the SCO connection is established and then the socket is closed; the timeout_work scheduled to check for disconnection timeout accesses the socket after it has been freed. The kernel's KASAN (Kernel Address Sanitizer) reports confirm the issue with slab-use-after-free errors, indicating memory corruption risks. Exploiting this vulnerability could allow an attacker with the ability to manipulate Bluetooth SCO connections to cause kernel memory corruption, potentially leading to denial of service (system crashes) or privilege escalation if exploited with crafted inputs. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes, and no CVSS score has been assigned yet. There are no known exploits in the wild at the time of publication. The root cause is a race condition between socket release and delayed timeout work execution, which has been fixed in recent kernel updates.
Potential Impact
For European organizations, the impact of CVE-2024-27398 can be significant, especially for those relying on Linux-based systems with Bluetooth capabilities, such as embedded devices, IoT infrastructure, telecommunications equipment, and enterprise servers running Linux kernels with Bluetooth support. Exploitation could lead to kernel crashes causing service disruptions or enable attackers to escalate privileges, compromising system integrity and confidentiality. Organizations in sectors like manufacturing, healthcare, transportation, and critical infrastructure that use Linux-based Bluetooth-enabled devices are at risk. The vulnerability could be leveraged in targeted attacks or lateral movement within networks if attackers gain Bluetooth proximity access. Given the widespread use of Linux in European data centers, cloud providers, and industrial control systems, unpatched systems could face operational downtime and potential data breaches. However, exploitation requires Bluetooth SCO connection manipulation, which somewhat limits remote attack vectors but does not eliminate risk in environments with accessible Bluetooth interfaces.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to the latest patched versions that address CVE-2024-27398. Specifically, kernel versions incorporating the fix for the SCO socket use-after-free should be deployed promptly. For devices where immediate patching is not feasible, disabling Bluetooth or restricting SCO connections can reduce exposure. Network segmentation and limiting Bluetooth access to trusted devices can mitigate attack surface. Monitoring kernel logs for unusual Bluetooth socket activity and enabling kernel debugging tools like KASAN in test environments can help detect exploitation attempts. Additionally, organizations should audit their Linux-based Bluetooth-enabled devices inventory to identify vulnerable systems. For embedded and IoT devices, coordinate with vendors for firmware updates. Implement strict access controls and physical security to prevent unauthorized Bluetooth proximity attacks. Finally, incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-25T13:47:42.681Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddbe1
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 3:10:05 AM
Last updated: 7/29/2025, 3:10:39 AM
Views: 10
Related Threats
CVE-2025-8978: Insufficient Verification of Data Authenticity in D-Link DIR-619L
HighCVE-2025-8946: SQL Injection in projectworlds Online Notes Sharing Platform
MediumCVE-2025-51965: n/a
UnknownCVE-2025-8976: Cross Site Scripting in givanz Vvveb
MediumCVE-2025-8980: Insufficient Verification of Data Authenticity in Tenda G1
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.