Linux Kernel Bluetooth Management Uninitialized Memory Vulnerability Allowing Use-After-Free

A use-after-free vulnerability has been identified in the Bluetooth management layer of the Linux kernel. This issue arises because the 'mgt_pending' structure can be freed while it is still being processed, leading to a potential use-after-free scenario. The vulnerability has been addressed by introducing a validation mechanism to ensure that pending commands have not been removed from the processing list before they are freed. The issue was reported in Linux kernel version 6.16.4.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by sending Bluetooth management commands that are processed asynchronously. If a command is canceled while it is still being handled, the associated memory can be freed prematurely, creating a use-after-free condition. This can be triggered by manipulating the command processing flow, such as by closing a Bluetooth device while commands are still being executed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.