CVE-2024-50255: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs Fix __hci_cmd_sync_sk() to return not NULL for unknown opcodes. __hci_cmd_sync_sk() returns NULL if a command returns a status event. However, it also returns NULL where an opcode doesn't exist in the hci_cc table because hci_cmd_complete_evt() assumes status = skb->data[0] for unknown opcodes. This leads to null-ptr-deref in cmd_sync for HCI_OP_READ_LOCAL_CODECS as there is no hci_cc for HCI_OP_READ_LOCAL_CODECS, which always assumes status = skb->data[0]. KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci7 hci_power_on RIP: 0010:hci_read_supported_codecs+0xb9/0x870 net/bluetooth/hci_codec.c:138 Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78 RSP: 0018:ffff888120bafac8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040 RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4 RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054 R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000 FS: 0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> hci_read_local_codecs_sync net/bluetooth/hci_sync.c:4546 [inline] hci_init_stage_sync net/bluetooth/hci_sync.c:3441 [inline] hci_init4_sync net/bluetooth/hci_sync.c:4706 [inline] hci_init_sync net/bluetooth/hci_sync.c:4742 [inline] hci_dev_init_sync net/bluetooth/hci_sync.c:4912 [inline] hci_dev_open_sync+0x19a9/0x2d30 net/bluetooth/hci_sync.c:4994 hci_dev_do_open net/bluetooth/hci_core.c:483 [inline] hci_power_on+0x11e/0x560 net/bluetooth/hci_core.c:1015 process_one_work kernel/workqueue.c:3267 [inline] process_scheduled_works+0x8ef/0x14f0 kernel/workqueue.c:3348 worker_thread+0x91f/0xe50 kernel/workqueue.c:3429 kthread+0x2cb/0x360 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
AI Analysis
Technical Summary
CVE-2024-50255 is a vulnerability identified in the Linux kernel's Bluetooth subsystem, specifically within the handling of HCI (Host Controller Interface) commands. The flaw arises in the function __hci_cmd_sync_sk(), which is responsible for synchronously sending HCI commands and waiting for their completion. The vulnerability occurs because this function returns NULL not only when a command returns a status event but also when an opcode is not found in the hci_cc command completion table. This behavior leads to a null pointer dereference in the hci_read_supported_codecs() function when it attempts to process the HCI_OP_READ_LOCAL_CODECS opcode, which is not present in the hci_cc table. The assumption that the status byte is always present at skb->data[0] for unknown opcodes causes the kernel to dereference a NULL pointer, resulting in a kernel crash (null pointer dereference). The issue was detected with Kernel Address Sanitizer (KASAN) and affects Linux kernel version 6.9.0 and potentially others with similar Bluetooth HCI implementations. The stack trace shows the problem occurs during Bluetooth device initialization and codec reading phases, which are critical for Bluetooth functionality. This vulnerability can cause denial of service (DoS) by crashing the kernel when the affected Bluetooth commands are processed. There is no indication of remote code execution or privilege escalation directly from this flaw, but the kernel crash can disrupt system availability and Bluetooth-dependent services. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-50255 primarily involves potential denial of service conditions on Linux systems utilizing Bluetooth functionality. Many enterprises and public sector entities in Europe rely on Linux-based infrastructure, including servers, desktops, and embedded devices that support Bluetooth communication. A kernel crash triggered by this vulnerability could disrupt critical operations, especially in environments where Bluetooth is used for device pairing, secure access, or IoT device management. Industrial control systems, healthcare devices, and transportation systems that run Linux and use Bluetooth could experience outages or degraded service. The disruption could affect confidentiality indirectly if system availability impacts security monitoring or incident response capabilities. Integrity is less likely to be affected as this is not a code execution vulnerability. Availability impact is moderate to high depending on the reliance on Bluetooth services. Since exploitation requires triggering specific Bluetooth HCI commands, attackers with local access or the ability to send crafted Bluetooth commands could cause system crashes. This risk is heightened in environments with many Bluetooth-enabled devices or where attackers can connect to Bluetooth interfaces. European organizations with large Linux deployments, especially those in technology, manufacturing, healthcare, and critical infrastructure sectors, should be aware of this threat.
Mitigation Recommendations
To mitigate CVE-2024-50255, European organizations should: 1) Apply the latest Linux kernel patches as soon as they become available from trusted sources or distributions, ensuring the fix for the null pointer dereference in the Bluetooth HCI code is included. 2) Temporarily disable Bluetooth functionality on critical systems where it is not essential, reducing the attack surface until patches are applied. 3) Implement strict access controls on Bluetooth interfaces, including disabling Bluetooth on servers and devices where it is unnecessary or restricting pairing and connection capabilities to trusted devices only. 4) Monitor kernel logs and system behavior for signs of crashes or Bluetooth subsystem errors that may indicate attempted exploitation. 5) For embedded or IoT devices running Linux with Bluetooth, coordinate with vendors to obtain firmware updates or patches addressing this vulnerability. 6) Employ network segmentation and endpoint protection to limit attacker access to systems with Bluetooth interfaces. 7) Educate system administrators about this vulnerability and the importance of timely patching and Bluetooth management. These steps go beyond generic advice by focusing on controlling Bluetooth access and monitoring kernel stability related to Bluetooth operations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-50255: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs Fix __hci_cmd_sync_sk() to return not NULL for unknown opcodes. __hci_cmd_sync_sk() returns NULL if a command returns a status event. However, it also returns NULL where an opcode doesn't exist in the hci_cc table because hci_cmd_complete_evt() assumes status = skb->data[0] for unknown opcodes. This leads to null-ptr-deref in cmd_sync for HCI_OP_READ_LOCAL_CODECS as there is no hci_cc for HCI_OP_READ_LOCAL_CODECS, which always assumes status = skb->data[0]. KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci7 hci_power_on RIP: 0010:hci_read_supported_codecs+0xb9/0x870 net/bluetooth/hci_codec.c:138 Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78 RSP: 0018:ffff888120bafac8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040 RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4 RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054 R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000 FS: 0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> hci_read_local_codecs_sync net/bluetooth/hci_sync.c:4546 [inline] hci_init_stage_sync net/bluetooth/hci_sync.c:3441 [inline] hci_init4_sync net/bluetooth/hci_sync.c:4706 [inline] hci_init_sync net/bluetooth/hci_sync.c:4742 [inline] hci_dev_init_sync net/bluetooth/hci_sync.c:4912 [inline] hci_dev_open_sync+0x19a9/0x2d30 net/bluetooth/hci_sync.c:4994 hci_dev_do_open net/bluetooth/hci_core.c:483 [inline] hci_power_on+0x11e/0x560 net/bluetooth/hci_core.c:1015 process_one_work kernel/workqueue.c:3267 [inline] process_scheduled_works+0x8ef/0x14f0 kernel/workqueue.c:3348 worker_thread+0x91f/0xe50 kernel/workqueue.c:3429 kthread+0x2cb/0x360 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
AI-Powered Analysis
Technical Analysis
CVE-2024-50255 is a vulnerability identified in the Linux kernel's Bluetooth subsystem, specifically within the handling of HCI (Host Controller Interface) commands. The flaw arises in the function __hci_cmd_sync_sk(), which is responsible for synchronously sending HCI commands and waiting for their completion. The vulnerability occurs because this function returns NULL not only when a command returns a status event but also when an opcode is not found in the hci_cc command completion table. This behavior leads to a null pointer dereference in the hci_read_supported_codecs() function when it attempts to process the HCI_OP_READ_LOCAL_CODECS opcode, which is not present in the hci_cc table. The assumption that the status byte is always present at skb->data[0] for unknown opcodes causes the kernel to dereference a NULL pointer, resulting in a kernel crash (null pointer dereference). The issue was detected with Kernel Address Sanitizer (KASAN) and affects Linux kernel version 6.9.0 and potentially others with similar Bluetooth HCI implementations. The stack trace shows the problem occurs during Bluetooth device initialization and codec reading phases, which are critical for Bluetooth functionality. This vulnerability can cause denial of service (DoS) by crashing the kernel when the affected Bluetooth commands are processed. There is no indication of remote code execution or privilege escalation directly from this flaw, but the kernel crash can disrupt system availability and Bluetooth-dependent services. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-50255 primarily involves potential denial of service conditions on Linux systems utilizing Bluetooth functionality. Many enterprises and public sector entities in Europe rely on Linux-based infrastructure, including servers, desktops, and embedded devices that support Bluetooth communication. A kernel crash triggered by this vulnerability could disrupt critical operations, especially in environments where Bluetooth is used for device pairing, secure access, or IoT device management. Industrial control systems, healthcare devices, and transportation systems that run Linux and use Bluetooth could experience outages or degraded service. The disruption could affect confidentiality indirectly if system availability impacts security monitoring or incident response capabilities. Integrity is less likely to be affected as this is not a code execution vulnerability. Availability impact is moderate to high depending on the reliance on Bluetooth services. Since exploitation requires triggering specific Bluetooth HCI commands, attackers with local access or the ability to send crafted Bluetooth commands could cause system crashes. This risk is heightened in environments with many Bluetooth-enabled devices or where attackers can connect to Bluetooth interfaces. European organizations with large Linux deployments, especially those in technology, manufacturing, healthcare, and critical infrastructure sectors, should be aware of this threat.
Mitigation Recommendations
To mitigate CVE-2024-50255, European organizations should: 1) Apply the latest Linux kernel patches as soon as they become available from trusted sources or distributions, ensuring the fix for the null pointer dereference in the Bluetooth HCI code is included. 2) Temporarily disable Bluetooth functionality on critical systems where it is not essential, reducing the attack surface until patches are applied. 3) Implement strict access controls on Bluetooth interfaces, including disabling Bluetooth on servers and devices where it is unnecessary or restricting pairing and connection capabilities to trusted devices only. 4) Monitor kernel logs and system behavior for signs of crashes or Bluetooth subsystem errors that may indicate attempted exploitation. 5) For embedded or IoT devices running Linux with Bluetooth, coordinate with vendors to obtain firmware updates or patches addressing this vulnerability. 6) Employ network segmentation and endpoint protection to limit attacker access to systems with Bluetooth interfaces. 7) Educate system administrators about this vulnerability and the importance of timely patching and Bluetooth management. These steps go beyond generic advice by focusing on controlling Bluetooth access and monitoring kernel stability related to Bluetooth operations.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.980Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdf66a
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 1:27:38 PM
Last updated: 7/28/2025, 11:11:46 PM
Views: 15
Related Threats
CVE-2025-8981: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-50862: n/a
MediumCVE-2025-50861: n/a
HighCVE-2025-8978: Insufficient Verification of Data Authenticity in D-Link DIR-619L
HighCVE-2025-8946: SQL Injection in projectworlds Online Notes Sharing Platform
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.