CVE-2024-26801
Vulnerability from cvelistv5
Published
2024-04-04 08:20
Modified
2024-11-05 09:16
Severity ?
Summary
Bluetooth: Avoid potential use-after-free in hci_error_reset
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.522Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6b0711d1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2449007d3f73b2842c9734f45f0aadb522daf592"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26801",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-15T19:27:12.303916Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-15T19:27:19.532Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e0b278650f07",
              "status": "affected",
              "version": "c7741d16a57c",
              "versionType": "git"
            },
            {
              "lessThan": "98fb98fd37e4",
              "status": "affected",
              "version": "c7741d16a57c",
              "versionType": "git"
            },
            {
              "lessThan": "6dd0a9dfa99f",
              "status": "affected",
              "version": "c7741d16a57c",
              "versionType": "git"
            },
            {
              "lessThan": "da4569d450b1",
              "status": "affected",
              "version": "c7741d16a57c",
              "versionType": "git"
            },
            {
              "lessThan": "45085686b955",
              "status": "affected",
              "version": "c7741d16a57c",
              "versionType": "git"
            },
            {
              "lessThan": "2ab9a19d896f",
              "status": "affected",
              "version": "c7741d16a57c",
              "versionType": "git"
            },
            {
              "lessThan": "dd594cdc24f2",
              "status": "affected",
              "version": "c7741d16a57c",
              "versionType": "git"
            },
            {
              "lessThan": "2449007d3f73",
              "status": "affected",
              "version": "c7741d16a57c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.0"
            },
            {
              "lessThan": "4.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.309",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.271",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.212",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Avoid potential use-after-free in hci_error_reset\n\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\nBT controller is not responding, the GPIO reset mechanism would\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\n\nHere\u0027s the call trace observed on a ChromeOS device with Intel AX201:\n   queue_work_on+0x3e/0x6c\n   __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth \u003cHASH:3b4a6\u003e]\n   ? init_wait_entry+0x31/0x31\n   __hci_cmd_sync+0x16/0x20 [bluetooth \u003cHASH:3b4a 6\u003e]\n   hci_error_reset+0x4f/0xa4 [bluetooth \u003cHASH:3b4a 6\u003e]\n   process_one_work+0x1d8/0x33f\n   worker_thread+0x21b/0x373\n   kthread+0x13a/0x152\n   ? pr_cont_work+0x54/0x54\n   ? kthread_blkcg+0x31/0x31\n    ret_from_fork+0x1f/0x30\n\nThis patch holds the reference count on the hci_dev while processing\na HCI_EV_HARDWARE_ERROR event to avoid potential crash."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:16:04.890Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03"
        },
        {
          "url": "https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090"
        },
        {
          "url": "https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14"
        },
        {
          "url": "https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6b0711d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/2449007d3f73b2842c9734f45f0aadb522daf592"
        }
      ],
      "title": "Bluetooth: Avoid potential use-after-free in hci_error_reset",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26801",
    "datePublished": "2024-04-04T08:20:29.211Z",
    "dateReserved": "2024-02-19T14:20:24.179Z",
    "dateUpdated": "2024-11-05T09:16:04.890Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26801\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-04T09:15:09.050\",\"lastModified\":\"2024-11-05T10:15:51.107\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nBluetooth: Avoid potential use-after-free in hci_error_reset\\n\\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\\nBT controller is not responding, the GPIO reset mechanism would\\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\\n\\nHere\u0027s the call trace observed on a ChromeOS device with Intel AX201:\\n   queue_work_on+0x3e/0x6c\\n   __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth \u003cHASH:3b4a6\u003e]\\n   ? init_wait_entry+0x31/0x31\\n   __hci_cmd_sync+0x16/0x20 [bluetooth \u003cHASH:3b4a 6\u003e]\\n   hci_error_reset+0x4f/0xa4 [bluetooth \u003cHASH:3b4a 6\u003e]\\n   process_one_work+0x1d8/0x33f\\n   worker_thread+0x21b/0x373\\n   kthread+0x13a/0x152\\n   ? pr_cont_work+0x54/0x54\\n   ? kthread_blkcg+0x31/0x31\\n    ret_from_fork+0x1f/0x30\\n\\nThis patch holds the reference count on the hci_dev while processing\\na HCI_EV_HARDWARE_ERROR event to avoid potential crash.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: Bluetooth: evite el posible use-after-free en hci_error_reset Mientras se maneja el evento HCI_EV_HARDWARE_ERROR, si el controlador BT subyacente no responde, el mecanismo de reinicio de GPIO liberar\u00eda hci_dev y provocar\u00eda un error. use-after-free en hci_error_reset. Este es el seguimiento de llamadas observado en un dispositivo ChromeOS con Intel AX201: queue_work_on+0x3e/0x6c __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth ] ? init_wait_entry+0x31/0x31 __hci_cmd_sync+0x16/0x20 [bluetooth ] hci_error_reset+0x4f/0xa4 [bluetooth ] Process_one_work+0x1d8/0x33f trabajador_thread+0x21b/0x373 kthread+0x13a /0x152 ? pr_cont_work+0x54/0x54? kthread_blkcg+0x31/0x31 ret_from_fork+0x1f/0x30 Este parche mantiene el recuento de referencias en hci_dev mientras procesa un evento HCI_EV_HARDWARE_ERROR para evitar posibles fallas.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2449007d3f73b2842c9734f45f0aadb522daf592\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6b0711d1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.