CVE-2024-36013: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() Extend a critical section to prevent chan from early freeing. Also make the l2cap_connect() return type void. Nothing is using the returned value but it is ugly to return a potentially freed pointer. Making it void will help with backports because earlier kernels did use the return value. Now the compile will break for kernels where this patch is not a complete fix. Call stack summary: [use] l2cap_bredr_sig_cmd l2cap_connect ┌ mutex_lock(&conn->chan_lock); │ chan = pchan->ops->new_connection(pchan); <- alloc chan │ __l2cap_chan_add(conn, chan); │ l2cap_chan_hold(chan); │ list_add(&chan->list, &conn->chan_l); ... (1) └ mutex_unlock(&conn->chan_lock); chan->conf_state ... (4) <- use after free [free] l2cap_conn_del ┌ mutex_lock(&conn->chan_lock); │ foreach chan in conn->chan_l: ... (2) │ l2cap_chan_put(chan); │ l2cap_chan_destroy │ kfree(chan) ... (3) <- chan freed └ mutex_unlock(&conn->chan_lock); ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0 net/bluetooth/l2cap_core.c:4260 Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311
AI Analysis
Technical Summary
CVE-2024-36013 is a use-after-free vulnerability identified in the Linux kernel's Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) implementation, specifically within the l2cap_connect() function. The flaw arises due to improper management of the lifecycle of 'chan' objects representing L2CAP channels. During connection setup, a 'chan' object is allocated and added to a connection's channel list under a mutex lock. However, under certain conditions, the channel can be freed prematurely while still being accessed later in the code, leading to a use-after-free scenario. This is evidenced by the kernel's KASAN (Kernel Address Sanitizer) reports showing slab-use-after-free errors during atomic reads and bit operations on the freed memory. The vulnerability is rooted in a race condition where the critical section protecting the channel list was insufficiently extended, allowing the channel to be freed early. The patch involves extending the critical section and changing the return type of l2cap_connect() to void to prevent misuse of potentially freed pointers. The vulnerability is classified under CWE-416 (Use After Free) and affects Linux kernel versions identified by the given commit hashes. The CVSS v3.1 base score is 6.8 (medium severity), with attack vector being adjacent network (Bluetooth), requiring low privileges and user interaction, and impacting confidentiality, integrity, and availability. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a moderate risk particularly to systems relying on Linux kernels with Bluetooth capabilities, such as laptops, embedded devices, IoT equipment, and industrial control systems. Exploitation could allow an attacker within Bluetooth range to cause kernel memory corruption, potentially leading to privilege escalation, denial of service (system crashes), or arbitrary code execution in kernel context. This could compromise sensitive data confidentiality and system integrity. Organizations with extensive use of Linux-based Bluetooth devices in operational environments, including manufacturing, healthcare, and critical infrastructure, may face disruptions or targeted attacks exploiting this flaw. The requirement for user interaction and proximity limits remote exploitation but does not eliminate risk in environments with many Bluetooth-enabled devices. Additionally, the flaw could be leveraged as a foothold for lateral movement within networks if combined with other vulnerabilities.
Mitigation Recommendations
1. Apply the official Linux kernel patches addressing CVE-2024-36013 as soon as they become available for your distribution. Monitor vendor advisories for backported fixes. 2. For devices where patching is delayed or not possible, consider disabling Bluetooth functionality if not essential, especially on critical systems. 3. Implement strict Bluetooth device pairing policies and restrict Bluetooth usage to trusted devices only. 4. Employ network segmentation to isolate Bluetooth-enabled devices from sensitive network segments. 5. Monitor system logs and kernel messages for signs of abnormal Bluetooth activity or kernel crashes indicative of exploitation attempts. 6. For embedded or IoT devices, coordinate with manufacturers to ensure firmware updates include the fix. 7. Educate users about the risks of accepting unknown Bluetooth pairing requests to reduce user interaction exploitation vectors.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-36013: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() Extend a critical section to prevent chan from early freeing. Also make the l2cap_connect() return type void. Nothing is using the returned value but it is ugly to return a potentially freed pointer. Making it void will help with backports because earlier kernels did use the return value. Now the compile will break for kernels where this patch is not a complete fix. Call stack summary: [use] l2cap_bredr_sig_cmd l2cap_connect ┌ mutex_lock(&conn->chan_lock); │ chan = pchan->ops->new_connection(pchan); <- alloc chan │ __l2cap_chan_add(conn, chan); │ l2cap_chan_hold(chan); │ list_add(&chan->list, &conn->chan_l); ... (1) └ mutex_unlock(&conn->chan_lock); chan->conf_state ... (4) <- use after free [free] l2cap_conn_del ┌ mutex_lock(&conn->chan_lock); │ foreach chan in conn->chan_l: ... (2) │ l2cap_chan_put(chan); │ l2cap_chan_destroy │ kfree(chan) ... (3) <- chan freed └ mutex_unlock(&conn->chan_lock); ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0 net/bluetooth/l2cap_core.c:4260 Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311
AI-Powered Analysis
Technical Analysis
CVE-2024-36013 is a use-after-free vulnerability identified in the Linux kernel's Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) implementation, specifically within the l2cap_connect() function. The flaw arises due to improper management of the lifecycle of 'chan' objects representing L2CAP channels. During connection setup, a 'chan' object is allocated and added to a connection's channel list under a mutex lock. However, under certain conditions, the channel can be freed prematurely while still being accessed later in the code, leading to a use-after-free scenario. This is evidenced by the kernel's KASAN (Kernel Address Sanitizer) reports showing slab-use-after-free errors during atomic reads and bit operations on the freed memory. The vulnerability is rooted in a race condition where the critical section protecting the channel list was insufficiently extended, allowing the channel to be freed early. The patch involves extending the critical section and changing the return type of l2cap_connect() to void to prevent misuse of potentially freed pointers. The vulnerability is classified under CWE-416 (Use After Free) and affects Linux kernel versions identified by the given commit hashes. The CVSS v3.1 base score is 6.8 (medium severity), with attack vector being adjacent network (Bluetooth), requiring low privileges and user interaction, and impacting confidentiality, integrity, and availability. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a moderate risk particularly to systems relying on Linux kernels with Bluetooth capabilities, such as laptops, embedded devices, IoT equipment, and industrial control systems. Exploitation could allow an attacker within Bluetooth range to cause kernel memory corruption, potentially leading to privilege escalation, denial of service (system crashes), or arbitrary code execution in kernel context. This could compromise sensitive data confidentiality and system integrity. Organizations with extensive use of Linux-based Bluetooth devices in operational environments, including manufacturing, healthcare, and critical infrastructure, may face disruptions or targeted attacks exploiting this flaw. The requirement for user interaction and proximity limits remote exploitation but does not eliminate risk in environments with many Bluetooth-enabled devices. Additionally, the flaw could be leveraged as a foothold for lateral movement within networks if combined with other vulnerabilities.
Mitigation Recommendations
1. Apply the official Linux kernel patches addressing CVE-2024-36013 as soon as they become available for your distribution. Monitor vendor advisories for backported fixes. 2. For devices where patching is delayed or not possible, consider disabling Bluetooth functionality if not essential, especially on critical systems. 3. Implement strict Bluetooth device pairing policies and restrict Bluetooth usage to trusted devices only. 4. Employ network segmentation to isolate Bluetooth-enabled devices from sensitive network segments. 5. Monitor system logs and kernel messages for signs of abnormal Bluetooth activity or kernel crashes indicative of exploitation attempts. 6. For embedded or IoT devices, coordinate with manufacturers to ensure firmware updates include the fix. 7. Educate users about the risks of accepting unknown Bluetooth pairing requests to reduce user interaction exploitation vectors.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.153Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe2483
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 9:25:13 AM
Last updated: 7/28/2025, 10:26:52 PM
Views: 16
Related Threats
CVE-2025-36613: CWE-266: Incorrect Privilege Assignment in Dell SupportAssist for Home PCs
LowCVE-2025-27845: n/a
UnknownCVE-2025-7972: CWE-286: Incorrect User Management in Rockwell Automation FactoryTalk® Linx
HighCVE-2025-8876: CWE-20 Improper Input Validation in N-able N-central
CriticalCVE-2025-8875: CWE-502 Deserialization of Untrusted Data in N-able N-central
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.