CVE-2024-27398

Advisory lineage Upstream: 0 Downstream: 184
Analyzed
Published: 13 May 2024, 10:22
Last modified:23 May 2026, 15:42

Vulnerability Summary

Overall Risk (default)
medium
31/100
CVSS Score
7.8 HIGH
v3.1 (nvd)
EPSS Score
0.72% LOW
1% probability +0.05%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

13 May 2024, 10:22
Published
Vulnerability first disclosed
23 May 2026, 15:42
Last Modified
Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout When the sco connection is established and then, the sco socket is releasing, timeout_work will be scheduled to judge whether the sco disconnection is timeout. The sock will be deallocated later, but it is dereferenced again in sco_sock_timeout. As a result, the use-after-free bugs will happen. The root cause is shown below: Cleanup Thread | Worker Thread sco_sock_release | sco_sock_close | __sco_sock_close | sco_sock_set_timer | schedule_delayed_work | sco_sock_kill | (wait a time) sock_put(sk) //FREE | sco_sock_timeout | sock_hold(sk) //USE The KASAN report triggered by POC is shown below: [ 95.890016] ================================================================== [ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0 [ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7 ... [ 95.890755] Workqueue: events sco_sock_timeout [ 95.890755] Call Trace: [ 95.890755] <TASK> [ 95.890755] dump_stack_lvl+0x45/0x110 [ 95.890755] print_address_description+0x78/0x390 [ 95.890755] print_report+0x11b/0x250 [ 95.890755] ? __virt_addr_valid+0xbe/0xf0 [ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_report+0x139/0x170 [ 95.890755] ? update_load_avg+0xe5/0x9f0 [ 95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755] kasan_check_range+0x2c3/0x2e0 [ 95.890755] sco_sock_timeout+0x5e/0x1c0 [ 95.890755] process_one_work+0x561/0xc50 [ 95.890755] worker_thread+0xab2/0x13c0 [ 95.890755] ? pr_cont_work+0x490/0x490 [ 95.890755] kthread+0x279/0x300 [ 95.890755] ? pr_cont_work+0x490/0x490 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork+0x34/0x60 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755] ret_from_fork_asm+0x11/0x20 [ 95.890755] </TASK> [ 95.890755] [ 95.890755] Allocated by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [ 95.890755] __kasan_kmalloc+0x86/0x90 [ 95.890755] __kmalloc+0x17f/0x360 [ 95.890755] sk_prot_alloc+0xe1/0x1a0 [ 95.890755] sk_alloc+0x31/0x4e0 [ 95.890755] bt_sock_alloc+0x2b/0x2a0 [ 95.890755] sco_sock_create+0xad/0x320 [ 95.890755] bt_sock_create+0x145/0x320 [ 95.890755] __sock_create+0x2e1/0x650 [ 95.890755] __sys_socket+0xd0/0x280 [ 95.890755] __x64_sys_socket+0x75/0x80 [ 95.890755] do_syscall_64+0xc4/0x1b0 [ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] Freed by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [ 95.890755] kasan_save_free_info+0x40/0x50 [ 95.890755] poison_slab_object+0x118/0x180 [ 95.890755] __kasan_slab_free+0x12/0x30 [ 95.890755] kfree+0xb2/0x240 [ 95.890755] __sk_destruct+0x317/0x410 [ 95.890755] sco_sock_release+0x232/0x280 [ 95.890755] sock_close+0xb2/0x210 [ 95.890755] __fput+0x37f/0x770 [ 95.890755] task_work_run+0x1ae/0x210 [ 95.890755] get_signal+0xe17/0xf70 [ 95.890755] arch_do_signal_or_restart+0x3f/0x520 [ 95.890755] syscall_exit_to_user_mode+0x55/0x120 [ 95.890755] do_syscall_64+0xd1/0x1b0 [ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] The buggy address belongs to the object at ffff88800c388000 [ 95.890755] which belongs to the cache kmalloc-1k of size 1024 [ 95.890755] The buggy address is located 128 bytes inside of [ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400) [ 95.890755] [ 95.890755] The buggy address belongs to the physical page: [ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388 [ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 95.890755] ano ---truncated---

CVSS Metrics

  • v3.1HIGHScore: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.72% Percentile: 73%

Techniques & Countermeasures

  • CWE-416Use After Free

    The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Affected Systems

  • debiandebian_linux

    10.0

  • fedoraprojectfedora

    39 | 40

  • linuxlinux

    ≥ 48669c81a65628ef234cbdd91b9395952c7c27fe, < 1b33d55fb7355e27f8c82cd4ecd560f162469249 | ≥ 37d7ae2b0578f2373674a755402ee722e96edc08, < 3212afd00e3cda790fd0583cb3eaef8f9575a014 | ≥ a1073aad497d0d071a71f61b721966a176d50c08, < 33a6e92161a78c1073d90e27abe28d746feb0a53 | ≥ ba316be1b6a00db7126ed9a39f9bee434a508043, < 6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5 | ≥ ba316be1b6a00db7126ed9a39f9bee434a508043, < bfab2c1f7940a232cd519e82fff137e308abfd93 | ≥ ba316be1b6a00db7126ed9a39f9bee434a508043, < 012363cb1bec5f33a7b94629ab2c1086f30280f2 | ≥ ba316be1b6a00db7126ed9a39f9bee434a508043, < 50c2037fc28df870ef29d9728c770c8955d32178 | ≥ ba316be1b6a00db7126ed9a39f9bee434a508043, < 483bc08181827fc475643272ffb69c533007e546 | fea63ccd928c01573306983346588b26cffb5572 | ec1f74319bb35c1c90c25014ec0f6ea6c3ca2134 | b657bba82ff6a007d84fd076bd73b11131726a2b | ≥ 4.19.207, < 4.19.314 | ≥ 5.4.148, < 5.4.276 | ≥ 5.10.67, < 5.10.217 | ≥ 4.14.263, < 4.15 | ≥ 5.13.19, < 5.14 | ≥ 5.14.6, < 5.15 | 5.15

  • linuxlinux_kernel

    ≥ 4.14.263, < 4.15 | ≥ 4.19.207, < 4.19.314 | ≥ 5.4.148, < 5.4.276 | ≥ 5.10.67, < 5.10.217 | ≥ 5.13.19, < 5.14 | ≥ 5.14.6, < 5.15.159 | ≥ 5.16, < 6.1.91 | ≥ 6.2, < 6.6.31 | ≥ 6.7, < 6.8.10 | 6.9:rc1 | 6.9:rc2 | 6.9:rc3 | 6.9:rc4 | 6.9:rc5 | 6.9:rc6 | 6.9:rc7

References (16)