Linux Kernel Bluetooth SCO Connection Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Bluetooth subsystem of the Linux kernel, specifically within the handling of Synchronous Connection-Oriented (SCO) sockets. This issue arises when the same socket is connected twice in quick succession, creating a race condition that results in two SCO connection objects being generated, but only one being linked to the socket. If the socket is closed before the SCO connection is fully established, the timer for the unlinked SCO connection object fails to cancel. Consequently, as the socket is being deallocated, the timer's callback function attempts to access the now-freed socket, leading to a use-after-free condition. This vulnerability has been assigned a CVSS score of 7.8.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where a program attempts to use memory that has already been released. This can lead to arbitrary code execution or the introduction of stability issues, such as causing the system to crash.