CVE-2024-46749: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush() This adds a check before freeing the rx->skb in flush and close functions to handle the kernel crash seen while removing driver after FW download fails or before FW download completes. dmesg log: [ 54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080 [ 54.643398] Mem abort info: [ 54.646204] ESR = 0x0000000096000004 [ 54.649964] EC = 0x25: DABT (current EL), IL = 32 bits [ 54.655286] SET = 0, FnV = 0 [ 54.658348] EA = 0, S1PTW = 0 [ 54.661498] FSC = 0x04: level 0 translation fault [ 54.666391] Data abort info: [ 54.669273] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 54.674768] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 54.674771] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000 [ 54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000 [ 54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse [ 54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2 [ 54.744364] Hardware name: FSL i.MX8MM EVK board (DT) [ 54.744368] Workqueue: hci0 hci_power_on [ 54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 54.757249] pc : kfree_skb_reason+0x18/0xb0 [ 54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.782921] sp : ffff8000805ebca0 [ 54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000 [ 54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230 [ 54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92 [ 54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff [ 54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857 [ 54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642 [ 54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688 [ 54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000 [ 54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac [ 54.857599] Call trace: [ 54.857601] kfree_skb_reason+0x18/0xb0 [ 54.863878] btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.863888] hci_dev_open_sync+0x3a8/0xa04 [ 54.872773] hci_power_on+0x54/0x2e4 [ 54.881832] process_one_work+0x138/0x260 [ 54.881842] worker_thread+0x32c/0x438 [ 54.881847] kthread+0x118/0x11c [ 54.881853] ret_from_fork+0x10/0x20 [ 54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400) [ 54.896410] ---[ end trace 0000000000000000 ]---
AI Analysis
Technical Summary
CVE-2024-46749 is a vulnerability identified in the Linux kernel specifically related to the Bluetooth subsystem's btnxpuart driver. The flaw involves a null pointer dereference in the btnxpuart_flush() function, which occurs when the driver attempts to free a socket buffer (skb) without verifying that the pointer is valid. This can happen during the flush and close operations, particularly when the firmware download process fails or is incomplete. The vulnerability manifests as a kernel crash (NULL pointer dereference) leading to an 'Oops' error, as evidenced by the detailed kernel log output showing an invalid memory access at address 0x80. The root cause is the absence of a check before freeing the rx->skb pointer, which can be NULL under certain failure conditions. This issue affects Linux kernel versions containing the vulnerable btnxpuart driver code prior to the patch. The btnxpuart driver is used in Bluetooth UART communication, often on embedded or specialized hardware platforms such as the FSL i.MX8MM EVK board referenced in the logs. Exploitation of this vulnerability can cause a denial of service (DoS) by crashing the kernel, leading to system instability or reboot. There is no indication that this vulnerability allows privilege escalation or arbitrary code execution. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The patch involves adding a null check before freeing the skb to prevent the kernel crash.
Potential Impact
For European organizations, the primary impact of CVE-2024-46749 is the potential for denial of service on Linux systems utilizing the vulnerable Bluetooth btnxpuart driver. This is particularly relevant for organizations relying on embedded Linux devices or industrial systems that incorporate Bluetooth communication via UART interfaces, such as IoT devices, industrial control systems, or specialized hardware platforms. A kernel crash can disrupt critical operations, cause system downtime, and require manual intervention to restore service. While this vulnerability does not appear to allow remote code execution or data compromise, the availability impact could be significant in environments where uptime is critical, such as manufacturing, healthcare, or telecommunications. Additionally, the vulnerability may affect Linux-based development boards or embedded devices used in research and development within European tech sectors. Since the vulnerability requires the driver to be active and the firmware download process to fail or be incomplete, exploitation may be limited to specific operational scenarios, reducing the overall attack surface. However, unpatched systems remain at risk of unexpected crashes, which could be exploited by an attacker with local access or through crafted Bluetooth firmware updates.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify and inventory Linux systems and embedded devices using the btnxpuart Bluetooth driver, especially those running kernel versions prior to the patch date. 2) Apply the official Linux kernel patch that adds the null pointer check in btnxpuart_flush() as soon as it becomes available from trusted sources or Linux distribution maintainers. 3) For embedded devices or custom Linux builds, rebuild the kernel with the patched driver version and redeploy to affected devices. 4) Monitor system logs for kernel Oops messages related to Bluetooth or btnxpuart to detect potential exploitation attempts or crashes. 5) Implement robust firmware update validation processes to prevent incomplete or failed firmware downloads that could trigger the vulnerability. 6) Restrict local access to vulnerable devices and limit Bluetooth connectivity to trusted devices only, reducing the risk of triggering the flaw. 7) In environments where uptime is critical, consider deploying redundant systems or failover mechanisms to mitigate the impact of potential kernel crashes. 8) Engage with hardware vendors to confirm whether their devices are affected and request updated firmware or kernel versions if applicable.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy
CVE-2024-46749: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush() This adds a check before freeing the rx->skb in flush and close functions to handle the kernel crash seen while removing driver after FW download fails or before FW download completes. dmesg log: [ 54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080 [ 54.643398] Mem abort info: [ 54.646204] ESR = 0x0000000096000004 [ 54.649964] EC = 0x25: DABT (current EL), IL = 32 bits [ 54.655286] SET = 0, FnV = 0 [ 54.658348] EA = 0, S1PTW = 0 [ 54.661498] FSC = 0x04: level 0 translation fault [ 54.666391] Data abort info: [ 54.669273] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 54.674768] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 54.674771] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000 [ 54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000 [ 54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse [ 54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2 [ 54.744364] Hardware name: FSL i.MX8MM EVK board (DT) [ 54.744368] Workqueue: hci0 hci_power_on [ 54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 54.757249] pc : kfree_skb_reason+0x18/0xb0 [ 54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.782921] sp : ffff8000805ebca0 [ 54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000 [ 54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230 [ 54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92 [ 54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff [ 54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857 [ 54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642 [ 54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688 [ 54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000 [ 54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac [ 54.857599] Call trace: [ 54.857601] kfree_skb_reason+0x18/0xb0 [ 54.863878] btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.863888] hci_dev_open_sync+0x3a8/0xa04 [ 54.872773] hci_power_on+0x54/0x2e4 [ 54.881832] process_one_work+0x138/0x260 [ 54.881842] worker_thread+0x32c/0x438 [ 54.881847] kthread+0x118/0x11c [ 54.881853] ret_from_fork+0x10/0x20 [ 54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400) [ 54.896410] ---[ end trace 0000000000000000 ]---
AI-Powered Analysis
Technical Analysis
CVE-2024-46749 is a vulnerability identified in the Linux kernel specifically related to the Bluetooth subsystem's btnxpuart driver. The flaw involves a null pointer dereference in the btnxpuart_flush() function, which occurs when the driver attempts to free a socket buffer (skb) without verifying that the pointer is valid. This can happen during the flush and close operations, particularly when the firmware download process fails or is incomplete. The vulnerability manifests as a kernel crash (NULL pointer dereference) leading to an 'Oops' error, as evidenced by the detailed kernel log output showing an invalid memory access at address 0x80. The root cause is the absence of a check before freeing the rx->skb pointer, which can be NULL under certain failure conditions. This issue affects Linux kernel versions containing the vulnerable btnxpuart driver code prior to the patch. The btnxpuart driver is used in Bluetooth UART communication, often on embedded or specialized hardware platforms such as the FSL i.MX8MM EVK board referenced in the logs. Exploitation of this vulnerability can cause a denial of service (DoS) by crashing the kernel, leading to system instability or reboot. There is no indication that this vulnerability allows privilege escalation or arbitrary code execution. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The patch involves adding a null check before freeing the skb to prevent the kernel crash.
Potential Impact
For European organizations, the primary impact of CVE-2024-46749 is the potential for denial of service on Linux systems utilizing the vulnerable Bluetooth btnxpuart driver. This is particularly relevant for organizations relying on embedded Linux devices or industrial systems that incorporate Bluetooth communication via UART interfaces, such as IoT devices, industrial control systems, or specialized hardware platforms. A kernel crash can disrupt critical operations, cause system downtime, and require manual intervention to restore service. While this vulnerability does not appear to allow remote code execution or data compromise, the availability impact could be significant in environments where uptime is critical, such as manufacturing, healthcare, or telecommunications. Additionally, the vulnerability may affect Linux-based development boards or embedded devices used in research and development within European tech sectors. Since the vulnerability requires the driver to be active and the firmware download process to fail or be incomplete, exploitation may be limited to specific operational scenarios, reducing the overall attack surface. However, unpatched systems remain at risk of unexpected crashes, which could be exploited by an attacker with local access or through crafted Bluetooth firmware updates.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify and inventory Linux systems and embedded devices using the btnxpuart Bluetooth driver, especially those running kernel versions prior to the patch date. 2) Apply the official Linux kernel patch that adds the null pointer check in btnxpuart_flush() as soon as it becomes available from trusted sources or Linux distribution maintainers. 3) For embedded devices or custom Linux builds, rebuild the kernel with the patched driver version and redeploy to affected devices. 4) Monitor system logs for kernel Oops messages related to Bluetooth or btnxpuart to detect potential exploitation attempts or crashes. 5) Implement robust firmware update validation processes to prevent incomplete or failed firmware downloads that could trigger the vulnerability. 6) Restrict local access to vulnerable devices and limit Bluetooth connectivity to trusted devices only, reducing the risk of triggering the flaw. 7) In environments where uptime is critical, consider deploying redundant systems or failover mechanisms to mitigate the impact of potential kernel crashes. 8) Engage with hardware vendors to confirm whether their devices are affected and request updated firmware or kernel versions if applicable.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.267Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe11a7
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/29/2025, 1:11:48 AM
Last updated: 8/14/2025, 11:59:13 PM
Views: 19
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.