Linux Kernel Bluetooth Use-After-Free Vulnerability in Connection Parameter Request Handling

A use-after-free vulnerability has been addressed in the Linux kernel's Bluetooth subsystem. The issue arises in the handling of connection parameter requests for low-energy (LE) remote devices. Specifically, the vulnerability occurs because the lookup of connection handles and subsequent field accesses are not properly synchronized with the device lock, allowing for the possibility that the connection data could be freed while still in use. This vulnerability affects the Linux kernel stable group.

Impact

The vulnerability could lead to a use-after-free condition, potentially allowing for memory corruption or exploitation through techniques such as arbitrary code execution or bypassing security restrictions.

Reproduction

The vulnerability can be reproduced by sending a Bluetooth LE connection parameter request event to a device while the connection handle is being accessed without proper locking. This can be done by manipulating the timing of events to cause the connection data to be freed before it is fully processed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.