Linux Kernel Bluetooth L2CAP Command Handling Vulnerability

A vulnerability in the Linux kernel's Bluetooth implementation, specifically within the Logical Link Control and Adaptation Protocol (L2CAP), has been addressed. The issue arose because the code accepted connection requests without considering the command identifier, leading to multiple requests being incorrectly marked as pending. This could result in allocating more than the maximum allowed connection identifiers, causing an overflow. The vulnerability affected the stable versions of the Linux kernel.

Impact

The vulnerability could lead to a memory overflow by allowing more than the maximum allowed connection identifiers to be allocated, potentially causing undefined behavior or exploitation opportunities.

Reproduction

The vulnerability can be reproduced by sending multiple L2CAP Enhanced Credit-Based Connection Requests using the same command identifier. This can be done by initiating connection requests through a Bluetooth device that supports L2CAP ECRED, such as certain audio devices or peripherals that use Bluetooth Low Energy. The kernel will accept these requests, leading to an overflow by allocating too many connection identifiers.

Remediation

Users can update to the latest stable version of the Linux kernel where this vulnerability has been fixed.