Zephyr Bluetooth Use-After-Free Vulnerability in Connection Transmission Processor

A use-after-free vulnerability has been identified in the Bluetooth connection transmission processor of Zephyr versions through 4.1. This issue arises from improper management of network buffers holding ACL transmission data. When a Bluetooth disconnection occurs, the processor deallocates these buffers without considering that the data may be segmented. This oversight leads to a write-before-zero condition, where the freed buffer is reused and written to, allowing an attacker to manipulate the written bytes and cause precise memory corruption. Such exploitation could form the basis of a reliable remote attack.

Impact

Exploitation of this vulnerability causes a use-after-free condition, leading to a write-before-zero scenario where a stale buffer is reused and written to. The manipulation of the written four bytes, which are under attacker control, enables precise memory corruption. This vulnerability can be exploited remotely, making it a significant security risk.

Remediation

Users can refer to the Zephyr GitHub repository for information on the vulnerability and potential patches. As of now, there is no official patched version available.