CVE-2024-26801

MEDIUM

Linux Kernel 4.0-6.7.8 Bluetooth HCI Use-After-Free

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Avoid potential use-after-free in hci_error_reset While handling the HCI_EV_HARDWARE_ERROR event, if the underlying BT controller is not responding, the GPIO reset mechanism would free the hci_dev and lead to a use-after-free in hci_error_reset. Here's the call trace observed on a ChromeOS device with Intel AX201: queue_work_on+0x3e/0x6c __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>] ? init_wait_entry+0x31/0x31 __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>] hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>] process_one_work+0x1d8/0x33f worker_thread+0x21b/0x373 kthread+0x13a/0x152 ? pr_cont_work+0x54/0x54 ? kthread_blkcg+0x31/0x31 ret_from_fork+0x1f/0x30 This patch holds the reference count on the hci_dev while processing a HCI_EV_HARDWARE_ERROR event to avoid potential crash.

References (10)

Core 10

Scores

CVSS v3 5.5
EPSS 0.0028
EPSS Percentile 19.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-416
Status published
Products (27)
linux/Kernel 4.0.0 - 4.19.309linux
linux/Kernel 4.20.0 - 5.4.271linux
linux/Kernel 5.11.0 - 5.15.151linux
linux/Kernel 5.16.0 - 6.1.81linux
linux/Kernel 5.5.0 - 5.10.212linux
linux/Kernel 6.2.0 - 6.6.21linux
linux/Kernel 6.7.0 - 6.7.9linux
Linux/Linux < 4.0
Linux/Linux 4.0
Linux/Linux 4.19.309 - 4.19.*
... and 17 more
Published Apr 04, 2024
Tracked Since Feb 18, 2026