Linux Kernel Bluetooth Use-After-Free Vulnerability in HCI Sync

A use-after-free vulnerability has been identified in the Bluetooth HCI synchronization process within the Linux kernel. This issue arises when the HCI connection is freed before the 'le_read_features_complete' function is called, leading to a memory access violation. The vulnerability has been traced to the handling of Bluetooth Low Energy (BLE) remote features, where improper synchronization can result in accessing freed memory, potentially causing instability or exploitation opportunities.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, allowing for memory corruption. Such conditions can often be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by initiating a Bluetooth Low Energy connection and triggering the 'le_read_remote_features' command. If the connection is dropped before the command is completed, the use-after-free condition occurs, as the connection object is freed while the command is still being processed.

Remediation

Users should upgrade to the latest stable version of the Linux kernel where this vulnerability has been addressed.