Linux Kernel Bluetooth RCU-Based Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Bluetooth subsystem of the Linux kernel. This issue arises in the 'hci_update_accept_list_sync' function, which processes pending connection and report lists without proper synchronization. The vulnerability can be exploited by modifying these lists concurrently, leading to invalid memory access. The issue has been observed with the BlueZ management tester and certain Bluetooth ISO testing scenarios.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where freed memory is accessed, potentially leading to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by using the BlueZ management tester case 'Add + Remove Device Nowait - Success', or by altering the 'hci_le_set_cig_params' function to always return false, while running an ISO testing scenario.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux kernel stable tree.