CVE-2024-50029: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync This checks if the ACL connection remains valid as it could be destroyed while hci_enhanced_setup_sync is pending on cmd_sync leading to the following trace: BUG: KASAN: slab-use-after-free in hci_enhanced_setup_sync+0x91b/0xa60 Read of size 1 at addr ffff888002328ffd by task kworker/u5:2/37 CPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? hci_enhanced_setup_sync+0x91b/0xa60 print_report+0x152/0x4c0 ? hci_enhanced_setup_sync+0x91b/0xa60 ? __virt_addr_valid+0x1fa/0x420 ? hci_enhanced_setup_sync+0x91b/0xa60 kasan_report+0xda/0x1b0 ? hci_enhanced_setup_sync+0x91b/0xa60 hci_enhanced_setup_sync+0x91b/0xa60 ? __pfx_hci_enhanced_setup_sync+0x10/0x10 ? __pfx___mutex_lock+0x10/0x10 hci_cmd_sync_work+0x1c2/0x330 process_one_work+0x7d9/0x1360 ? __pfx_lock_acquire+0x10/0x10 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x167/0x240 worker_thread+0x5b7/0xf60 ? __kthread_parkme+0xac/0x1c0 ? __pfx_worker_thread+0x10/0x10 ? __pfx_worker_thread+0x10/0x10 kthread+0x293/0x360 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 34: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __hci_conn_add+0x187/0x17d0 hci_connect_sco+0x2e1/0xb90 sco_sock_connect+0x2a2/0xb80 __sys_connect+0x227/0x2a0 __x64_sys_connect+0x6d/0xb0 do_syscall_64+0x71/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 37: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x101/0x160 kfree+0xd0/0x250 device_release+0x9a/0x210 kobject_put+0x151/0x280 hci_conn_del+0x448/0xbf0 hci_abort_conn_sync+0x46f/0x980 hci_cmd_sync_work+0x1c2/0x330 process_one_work+0x7d9/0x1360 worker_thread+0x5b7/0xf60 kthread+0x293/0x360 ret_from_fork+0x2f/0x70 ret_from_fork_asm+0x1a/0x30
AI Analysis
Technical Summary
CVE-2024-50029 is a use-after-free (UAF) vulnerability identified in the Linux kernel's Bluetooth subsystem, specifically within the hci_conn component responsible for managing Bluetooth connections. The flaw occurs in the function hci_enhanced_setup_sync, which handles synchronous setup of enhanced Bluetooth connections. During this process, the code fails to properly verify if the ACL (Asynchronous Connection-Less) connection remains valid while the hci_enhanced_setup_sync function is pending on a synchronous command (cmd_sync). This oversight can lead to a use-after-free condition where memory previously allocated for a Bluetooth connection object is accessed after it has been freed. The kernel's Kernel Address Sanitizer (KASAN) detected this issue, showing a slab-use-after-free error triggered by a worker thread handling Bluetooth commands. The vulnerability arises from a race condition between allocation and deallocation of connection objects, where the connection may be destroyed while the setup is still in progress. This can cause kernel memory corruption, leading to system instability, crashes (kernel panic), or potentially arbitrary code execution in kernel context if exploited. The vulnerability affects Linux kernel versions around 6.11.0-rc6 and likely other versions incorporating the vulnerable Bluetooth stack code. No public exploits are currently known, and no CVSS score has been assigned yet. However, the detailed kernel stack trace and KASAN report confirm the reliability and severity of the flaw. The issue was addressed by adding proper checks to ensure the ACL connection remains valid before proceeding with the setup, preventing use-after-free conditions.
Potential Impact
For European organizations, this vulnerability poses a significant risk to any systems running vulnerable Linux kernel versions with Bluetooth enabled. Many enterprise servers, IoT devices, embedded systems, and endpoint devices in Europe use Linux-based operating systems, including distributions like Ubuntu, Debian, Red Hat, and SUSE, which may incorporate the affected kernel versions. Exploitation could allow attackers to cause denial of service by crashing critical systems or potentially escalate privileges by executing arbitrary code in kernel space. This is particularly concerning for industries relying on Bluetooth connectivity for device management, such as manufacturing, healthcare, and automotive sectors prevalent in Europe. Additionally, the vulnerability could be leveraged in targeted attacks against critical infrastructure or government systems using Linux-based platforms. The lack of authentication or user interaction requirements for exploitation increases the threat level, especially in environments where Bluetooth is enabled and accessible. The impact extends to availability, confidentiality, and integrity of affected systems, potentially disrupting business operations and exposing sensitive data.
Mitigation Recommendations
European organizations should promptly apply kernel updates and patches provided by their Linux distribution vendors that address CVE-2024-50029. Since no official patch links are provided yet, monitoring vendor advisories (e.g., Ubuntu Security Notices, Red Hat Errata, SUSE Security Updates) is critical. As an immediate mitigation, organizations can disable Bluetooth functionality on Linux systems where it is not required, reducing the attack surface. For systems that require Bluetooth, implementing strict access controls and network segmentation to limit exposure to untrusted Bluetooth devices is advisable. Employing kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) in development environments can help detect similar issues early. Additionally, organizations should audit Bluetooth usage and monitor system logs for unusual kernel errors or crashes related to Bluetooth operations. Incorporating intrusion detection systems capable of identifying anomalous Bluetooth activity can further enhance defense. Finally, maintaining an up-to-date asset inventory to identify Linux systems with vulnerable kernels will facilitate targeted remediation efforts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland
CVE-2024-50029: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync This checks if the ACL connection remains valid as it could be destroyed while hci_enhanced_setup_sync is pending on cmd_sync leading to the following trace: BUG: KASAN: slab-use-after-free in hci_enhanced_setup_sync+0x91b/0xa60 Read of size 1 at addr ffff888002328ffd by task kworker/u5:2/37 CPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 ? hci_enhanced_setup_sync+0x91b/0xa60 print_report+0x152/0x4c0 ? hci_enhanced_setup_sync+0x91b/0xa60 ? __virt_addr_valid+0x1fa/0x420 ? hci_enhanced_setup_sync+0x91b/0xa60 kasan_report+0xda/0x1b0 ? hci_enhanced_setup_sync+0x91b/0xa60 hci_enhanced_setup_sync+0x91b/0xa60 ? __pfx_hci_enhanced_setup_sync+0x10/0x10 ? __pfx___mutex_lock+0x10/0x10 hci_cmd_sync_work+0x1c2/0x330 process_one_work+0x7d9/0x1360 ? __pfx_lock_acquire+0x10/0x10 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x167/0x240 worker_thread+0x5b7/0xf60 ? __kthread_parkme+0xac/0x1c0 ? __pfx_worker_thread+0x10/0x10 ? __pfx_worker_thread+0x10/0x10 kthread+0x293/0x360 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 34: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __hci_conn_add+0x187/0x17d0 hci_connect_sco+0x2e1/0xb90 sco_sock_connect+0x2a2/0xb80 __sys_connect+0x227/0x2a0 __x64_sys_connect+0x6d/0xb0 do_syscall_64+0x71/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 37: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x101/0x160 kfree+0xd0/0x250 device_release+0x9a/0x210 kobject_put+0x151/0x280 hci_conn_del+0x448/0xbf0 hci_abort_conn_sync+0x46f/0x980 hci_cmd_sync_work+0x1c2/0x330 process_one_work+0x7d9/0x1360 worker_thread+0x5b7/0xf60 kthread+0x293/0x360 ret_from_fork+0x2f/0x70 ret_from_fork_asm+0x1a/0x30
AI-Powered Analysis
Technical Analysis
CVE-2024-50029 is a use-after-free (UAF) vulnerability identified in the Linux kernel's Bluetooth subsystem, specifically within the hci_conn component responsible for managing Bluetooth connections. The flaw occurs in the function hci_enhanced_setup_sync, which handles synchronous setup of enhanced Bluetooth connections. During this process, the code fails to properly verify if the ACL (Asynchronous Connection-Less) connection remains valid while the hci_enhanced_setup_sync function is pending on a synchronous command (cmd_sync). This oversight can lead to a use-after-free condition where memory previously allocated for a Bluetooth connection object is accessed after it has been freed. The kernel's Kernel Address Sanitizer (KASAN) detected this issue, showing a slab-use-after-free error triggered by a worker thread handling Bluetooth commands. The vulnerability arises from a race condition between allocation and deallocation of connection objects, where the connection may be destroyed while the setup is still in progress. This can cause kernel memory corruption, leading to system instability, crashes (kernel panic), or potentially arbitrary code execution in kernel context if exploited. The vulnerability affects Linux kernel versions around 6.11.0-rc6 and likely other versions incorporating the vulnerable Bluetooth stack code. No public exploits are currently known, and no CVSS score has been assigned yet. However, the detailed kernel stack trace and KASAN report confirm the reliability and severity of the flaw. The issue was addressed by adding proper checks to ensure the ACL connection remains valid before proceeding with the setup, preventing use-after-free conditions.
Potential Impact
For European organizations, this vulnerability poses a significant risk to any systems running vulnerable Linux kernel versions with Bluetooth enabled. Many enterprise servers, IoT devices, embedded systems, and endpoint devices in Europe use Linux-based operating systems, including distributions like Ubuntu, Debian, Red Hat, and SUSE, which may incorporate the affected kernel versions. Exploitation could allow attackers to cause denial of service by crashing critical systems or potentially escalate privileges by executing arbitrary code in kernel space. This is particularly concerning for industries relying on Bluetooth connectivity for device management, such as manufacturing, healthcare, and automotive sectors prevalent in Europe. Additionally, the vulnerability could be leveraged in targeted attacks against critical infrastructure or government systems using Linux-based platforms. The lack of authentication or user interaction requirements for exploitation increases the threat level, especially in environments where Bluetooth is enabled and accessible. The impact extends to availability, confidentiality, and integrity of affected systems, potentially disrupting business operations and exposing sensitive data.
Mitigation Recommendations
European organizations should promptly apply kernel updates and patches provided by their Linux distribution vendors that address CVE-2024-50029. Since no official patch links are provided yet, monitoring vendor advisories (e.g., Ubuntu Security Notices, Red Hat Errata, SUSE Security Updates) is critical. As an immediate mitigation, organizations can disable Bluetooth functionality on Linux systems where it is not required, reducing the attack surface. For systems that require Bluetooth, implementing strict access controls and network segmentation to limit exposure to untrusted Bluetooth devices is advisable. Employing kernel hardening techniques such as enabling Kernel Address Sanitizer (KASAN) in development environments can help detect similar issues early. Additionally, organizations should audit Bluetooth usage and monitor system logs for unusual kernel errors or crashes related to Bluetooth operations. Incorporating intrusion detection systems capable of identifying anomalous Bluetooth activity can further enhance defense. Finally, maintaining an up-to-date asset inventory to identify Linux systems with vulnerable kernels will facilitate targeted remediation efforts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.067Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdfd4d
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 4:26:49 PM
Last updated: 8/12/2025, 11:40:54 AM
Views: 21
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.