CVE-2024-27399: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout There is a race condition between l2cap_chan_timeout() and l2cap_chan_del(). When we use l2cap_chan_del() to delete the channel, the chan->conn will be set to null. But the conn could be dereferenced again in the mutex_lock() of l2cap_chan_timeout(). As a result the null pointer dereference bug will happen. The KASAN report triggered by POC is shown below: [ 472.074580] ================================================================== [ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0 [ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7 [ 472.075308] [ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.075308] Workqueue: events l2cap_chan_timeout [ 472.075308] Call Trace: [ 472.075308] <TASK> [ 472.075308] dump_stack_lvl+0x137/0x1a0 [ 472.075308] print_report+0x101/0x250 [ 472.075308] ? __virt_addr_valid+0x77/0x160 [ 472.075308] ? mutex_lock+0x68/0xc0 [ 472.075308] kasan_report+0x139/0x170 [ 472.075308] ? mutex_lock+0x68/0xc0 [ 472.075308] kasan_check_range+0x2c3/0x2e0 [ 472.075308] mutex_lock+0x68/0xc0 [ 472.075308] l2cap_chan_timeout+0x181/0x300 [ 472.075308] process_one_work+0x5d2/0xe00 [ 472.075308] worker_thread+0xe1d/0x1660 [ 472.075308] ? pr_cont_work+0x5e0/0x5e0 [ 472.075308] kthread+0x2b7/0x350 [ 472.075308] ? pr_cont_work+0x5e0/0x5e0 [ 472.075308] ? kthread_blkcg+0xd0/0xd0 [ 472.075308] ret_from_fork+0x4d/0x80 [ 472.075308] ? kthread_blkcg+0xd0/0xd0 [ 472.075308] ret_from_fork_asm+0x11/0x20 [ 472.075308] </TASK> [ 472.075308] ================================================================== [ 472.094860] Disabling lock debugging due to kernel taint [ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158 [ 472.096136] #PF: supervisor write access in kernel mode [ 472.096136] #PF: error_code(0x0002) - not-present page [ 472.096136] PGD 0 P4D 0 [ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI [ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.096136] Workqueue: events l2cap_chan_timeout [ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0 [ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88 [ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246 [ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865 [ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78 [ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f [ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000 [ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00 [ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000 [ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0 [ 472.096136] Call Trace: [ 472.096136] <TASK> [ 472.096136] ? __die_body+0x8d/0xe0 [ 472.096136] ? page_fault_oops+0x6b8/0x9a0 [ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0 [ 472.096136] ? do_user_addr_fault+0x1027/0x1340 [ 472.096136] ? _printk+0x7a/0xa0 [ 472.096136] ? mutex_lock+0x68/0xc0 [ 472.096136] ? add_taint+0x42/0xd0 [ 472.096136] ? exc_page_fault+0x6a/0x1b0 [ 472.096136] ? asm_exc_page_fault+0x26/0x30 [ 472.096136] ? mutex_lock+0x75/0xc0 [ 472.096136] ? mutex_lock+0x88/0xc0 [ 472.096136] ? mutex_lock+0x75/0xc0 [ 472.096136] l2cap_chan_timeo ---truncated---
AI Analysis
Technical Summary
CVE-2024-27399 is a vulnerability identified in the Linux kernel's Bluetooth subsystem, specifically within the L2CAP (Logical Link Control and Adaptation Protocol) layer. The flaw arises from a race condition between two kernel functions: l2cap_chan_timeout() and l2cap_chan_del(). When a Bluetooth channel is deleted via l2cap_chan_del(), the channel's connection pointer (chan->conn) is set to null. However, due to the race condition, l2cap_chan_timeout() may still attempt to dereference this now-null pointer while acquiring a mutex lock, leading to a null pointer dereference (NPD) in kernel space. The vulnerability was detected and confirmed by Kernel Address Sanitizer (KASAN), which reported a null pointer dereference during mutex_lock() execution. This results in a kernel oops and potential system crash or denial of service (DoS). The issue affects Linux kernel versions prior to the patch and is triggered by Bluetooth L2CAP channel timeout handling. The vulnerability does not require user interaction but does require the presence of Bluetooth functionality and the ability to trigger channel deletion and timeout events. Exploitation could be achieved by an attacker with local or potentially proximate Bluetooth access, causing kernel instability or crashes. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The vulnerability is significant because it affects the core Linux kernel Bluetooth stack, which is widely used across many Linux distributions and devices, including servers, desktops, and embedded systems. The root cause is a concurrency issue leading to unsafe memory access in kernel mode, which is critical due to the privileged nature of kernel execution.
Potential Impact
For European organizations, the impact of CVE-2024-27399 could be considerable, especially for those relying on Linux-based systems with Bluetooth enabled. The vulnerability can cause kernel crashes leading to denial of service, which may disrupt critical services, especially in environments where Linux servers or embedded devices manage Bluetooth communications (e.g., IoT devices, industrial control systems, or user endpoints). Organizations in sectors such as manufacturing, healthcare, transportation, and telecommunications that use Linux devices with Bluetooth capabilities could face operational interruptions. Additionally, while this vulnerability does not directly allow privilege escalation or remote code execution, the resulting system instability could be leveraged as part of a broader attack chain or cause significant downtime. Given the widespread use of Linux in European data centers, cloud infrastructures, and enterprise environments, unpatched systems remain at risk of service degradation or outages. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability details are public. The impact is amplified in environments where Bluetooth is used for critical communications or device management, and where system availability is paramount.
Mitigation Recommendations
To mitigate CVE-2024-27399, European organizations should: 1) Apply the latest Linux kernel patches as soon as they become available from trusted distribution vendors or directly from the Linux kernel maintainers to address the race condition in the Bluetooth L2CAP code. 2) Temporarily disable Bluetooth functionality on critical Linux systems where it is not essential, reducing the attack surface until patches are deployed. 3) For systems requiring Bluetooth, implement strict access controls and monitoring of Bluetooth interfaces to detect unusual activity or attempts to trigger channel deletions. 4) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to identify similar concurrency issues proactively. 5) Maintain up-to-date inventories of Linux systems and their kernel versions to prioritize patching efforts. 6) Use intrusion detection systems (IDS) and endpoint detection and response (EDR) tools capable of monitoring kernel crashes or anomalies related to Bluetooth operations. 7) Educate system administrators about the risks of kernel-level vulnerabilities and the importance of timely patch management, especially for subsystems like Bluetooth that may be overlooked. These steps go beyond generic advice by focusing on Bluetooth-specific controls, kernel patching prioritization, and operational monitoring tailored to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-27399: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout There is a race condition between l2cap_chan_timeout() and l2cap_chan_del(). When we use l2cap_chan_del() to delete the channel, the chan->conn will be set to null. But the conn could be dereferenced again in the mutex_lock() of l2cap_chan_timeout(). As a result the null pointer dereference bug will happen. The KASAN report triggered by POC is shown below: [ 472.074580] ================================================================== [ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0 [ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7 [ 472.075308] [ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.075308] Workqueue: events l2cap_chan_timeout [ 472.075308] Call Trace: [ 472.075308] <TASK> [ 472.075308] dump_stack_lvl+0x137/0x1a0 [ 472.075308] print_report+0x101/0x250 [ 472.075308] ? __virt_addr_valid+0x77/0x160 [ 472.075308] ? mutex_lock+0x68/0xc0 [ 472.075308] kasan_report+0x139/0x170 [ 472.075308] ? mutex_lock+0x68/0xc0 [ 472.075308] kasan_check_range+0x2c3/0x2e0 [ 472.075308] mutex_lock+0x68/0xc0 [ 472.075308] l2cap_chan_timeout+0x181/0x300 [ 472.075308] process_one_work+0x5d2/0xe00 [ 472.075308] worker_thread+0xe1d/0x1660 [ 472.075308] ? pr_cont_work+0x5e0/0x5e0 [ 472.075308] kthread+0x2b7/0x350 [ 472.075308] ? pr_cont_work+0x5e0/0x5e0 [ 472.075308] ? kthread_blkcg+0xd0/0xd0 [ 472.075308] ret_from_fork+0x4d/0x80 [ 472.075308] ? kthread_blkcg+0xd0/0xd0 [ 472.075308] ret_from_fork_asm+0x11/0x20 [ 472.075308] </TASK> [ 472.075308] ================================================================== [ 472.094860] Disabling lock debugging due to kernel taint [ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158 [ 472.096136] #PF: supervisor write access in kernel mode [ 472.096136] #PF: error_code(0x0002) - not-present page [ 472.096136] PGD 0 P4D 0 [ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI [ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.096136] Workqueue: events l2cap_chan_timeout [ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0 [ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88 [ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246 [ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865 [ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78 [ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f [ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000 [ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00 [ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000 [ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0 [ 472.096136] Call Trace: [ 472.096136] <TASK> [ 472.096136] ? __die_body+0x8d/0xe0 [ 472.096136] ? page_fault_oops+0x6b8/0x9a0 [ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0 [ 472.096136] ? do_user_addr_fault+0x1027/0x1340 [ 472.096136] ? _printk+0x7a/0xa0 [ 472.096136] ? mutex_lock+0x68/0xc0 [ 472.096136] ? add_taint+0x42/0xd0 [ 472.096136] ? exc_page_fault+0x6a/0x1b0 [ 472.096136] ? asm_exc_page_fault+0x26/0x30 [ 472.096136] ? mutex_lock+0x75/0xc0 [ 472.096136] ? mutex_lock+0x88/0xc0 [ 472.096136] ? mutex_lock+0x75/0xc0 [ 472.096136] l2cap_chan_timeo ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-27399 is a vulnerability identified in the Linux kernel's Bluetooth subsystem, specifically within the L2CAP (Logical Link Control and Adaptation Protocol) layer. The flaw arises from a race condition between two kernel functions: l2cap_chan_timeout() and l2cap_chan_del(). When a Bluetooth channel is deleted via l2cap_chan_del(), the channel's connection pointer (chan->conn) is set to null. However, due to the race condition, l2cap_chan_timeout() may still attempt to dereference this now-null pointer while acquiring a mutex lock, leading to a null pointer dereference (NPD) in kernel space. The vulnerability was detected and confirmed by Kernel Address Sanitizer (KASAN), which reported a null pointer dereference during mutex_lock() execution. This results in a kernel oops and potential system crash or denial of service (DoS). The issue affects Linux kernel versions prior to the patch and is triggered by Bluetooth L2CAP channel timeout handling. The vulnerability does not require user interaction but does require the presence of Bluetooth functionality and the ability to trigger channel deletion and timeout events. Exploitation could be achieved by an attacker with local or potentially proximate Bluetooth access, causing kernel instability or crashes. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The vulnerability is significant because it affects the core Linux kernel Bluetooth stack, which is widely used across many Linux distributions and devices, including servers, desktops, and embedded systems. The root cause is a concurrency issue leading to unsafe memory access in kernel mode, which is critical due to the privileged nature of kernel execution.
Potential Impact
For European organizations, the impact of CVE-2024-27399 could be considerable, especially for those relying on Linux-based systems with Bluetooth enabled. The vulnerability can cause kernel crashes leading to denial of service, which may disrupt critical services, especially in environments where Linux servers or embedded devices manage Bluetooth communications (e.g., IoT devices, industrial control systems, or user endpoints). Organizations in sectors such as manufacturing, healthcare, transportation, and telecommunications that use Linux devices with Bluetooth capabilities could face operational interruptions. Additionally, while this vulnerability does not directly allow privilege escalation or remote code execution, the resulting system instability could be leveraged as part of a broader attack chain or cause significant downtime. Given the widespread use of Linux in European data centers, cloud infrastructures, and enterprise environments, unpatched systems remain at risk of service degradation or outages. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability details are public. The impact is amplified in environments where Bluetooth is used for critical communications or device management, and where system availability is paramount.
Mitigation Recommendations
To mitigate CVE-2024-27399, European organizations should: 1) Apply the latest Linux kernel patches as soon as they become available from trusted distribution vendors or directly from the Linux kernel maintainers to address the race condition in the Bluetooth L2CAP code. 2) Temporarily disable Bluetooth functionality on critical Linux systems where it is not essential, reducing the attack surface until patches are deployed. 3) For systems requiring Bluetooth, implement strict access controls and monitoring of Bluetooth interfaces to detect unusual activity or attempts to trigger channel deletions. 4) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to identify similar concurrency issues proactively. 5) Maintain up-to-date inventories of Linux systems and their kernel versions to prioritize patching efforts. 6) Use intrusion detection systems (IDS) and endpoint detection and response (EDR) tools capable of monitoring kernel crashes or anomalies related to Bluetooth operations. 7) Educate system administrators about the risks of kernel-level vulnerabilities and the importance of timely patch management, especially for subsystems like Bluetooth that may be overlooked. These steps go beyond generic advice by focusing on Bluetooth-specific controls, kernel patching prioritization, and operational monitoring tailored to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-25T13:47:42.681Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe336c
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 3:26:08 PM
Last updated: 7/30/2025, 10:12:51 PM
Views: 11
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.