Linux Kernel Bluetooth L2CAP Channel User-After-Free Vulnerability

A user-after-free vulnerability has been identified in the Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) implementation of the Linux kernel. This issue arises because the function responsible for sending data over an L2CAP channel releases the channel lock before allocating a new buffer. When the lock is released, the channel could be disconnected, leading to a use-after-free condition. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by sending data over an L2CAP channel while the channel lock is released. This can be done by using a Bluetooth device to establish a connection and then initiating a data transfer that triggers the vulnerability, such as by using a custom application or script that interacts with the Bluetooth stack.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux documentation.