Linux Kernel Bluetooth Subsystem Use-After-Free Vulnerability in Connection Management

A use-after-free vulnerability has been identified in the Bluetooth connection management of the Linux kernel, specifically within the 'hci_acl_create_conn_sync' function. This vulnerability arises when a connection, still pending command submission, is inadvertently freed. The issue is exacerbated by similar behavior in the 'hci_le_create_conn_sync' function. The vulnerability has been observed in Linux kernel version 6.16.0-rc7.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can commonly result in arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by initiating a Bluetooth connection while another connection is still pending. This can be done by using a Bluetooth management command that creates a connection, and then quickly sending another command that interferes with the first one, before the initial connection process is completed. This sequence of actions can be automated with a script or a tool that sends Bluetooth management commands, simulating a fuzzing attack that disrupts the normal connection process.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.