Linux Kernel Bluetooth Connection Cleanup Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's Bluetooth subsystem. This issue arises in the connection management for SCO (Synchronous Connection-Oriented) and ISO (Isochronous) links. The vulnerability occurs when an ACL (Asynchronous Connection-Layer) connection is deleted prematurely, causing the associated SCO or ISO connection to be left in an inconsistent state. The problem is exacerbated by not properly notifying the connection management system before deleting the connection, which can lead to a use-after-free scenario. The vulnerability affects the Linux kernel's stable releases.

Impact

The vulnerability can be exploited to create a use-after-free condition, which may lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by establishing SCO or ISO connections and then prematurely deleting the parent ACL connection before the child connections are properly cleaned up. This can be done by manipulating the connection management process to simulate an early ACL deletion, causing the SCO or ISO connections to be left dangling and not properly terminated.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed.