Linux Kernel Bluetooth Management Unlinking Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been addressed in the Linux kernel's Bluetooth management subsystem. This issue arose from a change in how pending commands were handled, specifically the introduction of a function that validates and unlinks commands from the pending list. Several completion handlers needed to be updated to prevent memory safety issues and list corruption. The vulnerability could potentially be exploited by targeting specific Bluetooth management commands, leading to concurrent processing issues and memory corruption.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, allowing for memory corruption and potential arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending Bluetooth management commands that are processed concurrently. The completion handlers for these commands can be manipulated to cause a use-after-free condition, by exploiting the incorrect handling of pending commands that have already been unlinked from the list.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.