Linux Kernel Bluetooth Management Concurrent Access Vulnerability Leading to Use-After-Free

A vulnerability in the Linux kernel's Bluetooth management system has been addressed. The issue involved concurrent access to the 'mgmt_pending' list, which was not properly synchronized, potentially leading to crashes. This vulnerability could cause a use-after-free error, where memory that has been freed is still accessed, leading to undefined behavior or crashes.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, causing memory corruption and potentially allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a Bluetooth socket and sending management commands that access the 'mgmt_pending' list. This can be done using a tool like 'syzkaller', which is designed to fuzz the Linux kernel and can trigger the vulnerability by sending concurrent requests that manipulate the 'mgmt_pending' list without proper synchronization.

Remediation

Users should upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.