Description
hci_conn_cleanup in net/bluetooth/hci_conn.c in the Linux kernel through 6.2.9 has a use-after-free (observed in hci_conn_hash_flush) because of calls to hci_dev_put and hci_conn_put. There is a double free that may lead to privilege escalation.
References (4)
Core 4
Core References
Mailing List, Patch
https://lore.kernel.org/lkml/20230309074645.74309-1-wzhmmmmm%40gmail.com/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20230517-0004/
Mailing List, Patch
https://www.openwall.com/lists/oss-security/2023/03/28/2
Scores
CVSS v3
7.8
EPSS
0.0002
EPSS Percentile
6.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-415
Status
published
Products (8)
linux/linux_kernel
6.1.25
linux/linux_kernel
6.2.12
linux/linux_kernel
6.3 (7 CPE variants)
netapp/h300s_firmware
netapp/h410c_firmware
netapp/h410s_firmware
netapp/h500s_firmware
netapp/h700s_firmware
Published
Mar 31, 2023
Tracked Since
Feb 18, 2026