Linux Kernel Bluetooth HIDP Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's Bluetooth HIDP (Human Interface Device Profile) implementation. This issue arises because the L2CAP (Logical Link Control and Adaptation Protocol) connection reference is not properly released when the user removal callback is invoked. As a result, the connection can be freed while it is still in use, leading to potential memory corruption.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption. Such conditions are often exploitable, allowing for arbitrary code execution or causing a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by creating a Bluetooth HIDP session and then removing the user associated with that session without properly releasing the L2CAP connection reference. This can be done by triggering the user removal callback while the session is still active, causing the L2CAP connection to be freed prematurely.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version can be found in the Linux kernel documentation.