[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2024-27398":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T08:53:30.047Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":23,"related":24,"reserved_at":9,"published_at":25,"modified_at":26,"state":9,"summary":27,"references_raw":29,"kevs":36,"epss":9,"epss_history":37,"metrics":38,"affected":45},"DEBIAN-CVE-2024-27398","In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout  When the sco connection is established and then, the sco socket is releasing, timeout_work will be scheduled to judge whether the sco disconnection is timeout. The sock will be deallocated later, but it is dereferenced again in sco_sock_timeout. As a result, the use-after-free bugs will happen. The root cause is shown below:      Cleanup Thread               |      Worker Thread sco_sock_release                 |   sco_sock_close                 |     __sco_sock_close             |       sco_sock_set_timer         |         schedule_delayed_work    |   sco_sock_kill                  |    (wait a time)     sock_put(sk) //FREE          |  sco_sock_timeout                                  |    sock_hold(sk) //USE  The KASAN report triggered by POC is shown below:  [   95.890016] ================================================================== [   95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0 [   95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7 ... [   95.890755] Workqueue: events sco_sock_timeout [   95.890755] Call Trace: [   95.890755]  \u003CTASK> [   95.890755]  dump_stack_lvl+0x45/0x110 [   95.890755]  print_address_description+0x78/0x390 [   95.890755]  print_report+0x11b/0x250 [   95.890755]  ? __virt_addr_valid+0xbe/0xf0 [   95.890755]  ? sco_sock_timeout+0x5e/0x1c0 [   95.890755]  kasan_report+0x139/0x170 [   95.890755]  ? update_load_avg+0xe5/0x9f0 [   95.890755]  ? sco_sock_timeout+0x5e/0x1c0 [   95.890755]  kasan_check_range+0x2c3/0x2e0 [   95.890755]  sco_sock_timeout+0x5e/0x1c0 [   95.890755]  process_one_work+0x561/0xc50 [   95.890755]  worker_thread+0xab2/0x13c0 [   95.890755]  ? pr_cont_work+0x490/0x490 [   95.890755]  kthread+0x279/0x300 [   95.890755]  ? pr_cont_work+0x490/0x490 [   95.890755]  ? kthread_blkcg+0xa0/0xa0 [   95.890755]  ret_from_fork+0x34/0x60 [   95.890755]  ? kthread_blkcg+0xa0/0xa0 [   95.890755]  ret_from_fork_asm+0x11/0x20 [   95.890755]  \u003C/TASK> [   95.890755] [   95.890755] Allocated by task 506: [   95.890755]  kasan_save_track+0x3f/0x70 [   95.890755]  __kasan_kmalloc+0x86/0x90 [   95.890755]  __kmalloc+0x17f/0x360 [   95.890755]  sk_prot_alloc+0xe1/0x1a0 [   95.890755]  sk_alloc+0x31/0x4e0 [   95.890755]  bt_sock_alloc+0x2b/0x2a0 [   95.890755]  sco_sock_create+0xad/0x320 [   95.890755]  bt_sock_create+0x145/0x320 [   95.890755]  __sock_create+0x2e1/0x650 [   95.890755]  __sys_socket+0xd0/0x280 [   95.890755]  __x64_sys_socket+0x75/0x80 [   95.890755]  do_syscall_64+0xc4/0x1b0 [   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f [   95.890755] [   95.890755] Freed by task 506: [   95.890755]  kasan_save_track+0x3f/0x70 [   95.890755]  kasan_save_free_info+0x40/0x50 [   95.890755]  poison_slab_object+0x118/0x180 [   95.890755]  __kasan_slab_free+0x12/0x30 [   95.890755]  kfree+0xb2/0x240 [   95.890755]  __sk_destruct+0x317/0x410 [   95.890755]  sco_sock_release+0x232/0x280 [   95.890755]  sock_close+0xb2/0x210 [   95.890755]  __fput+0x37f/0x770 [   95.890755]  task_work_run+0x1ae/0x210 [   95.890755]  get_signal+0xe17/0xf70 [   95.890755]  arch_do_signal_or_restart+0x3f/0x520 [   95.890755]  syscall_exit_to_user_mode+0x55/0x120 [   95.890755]  do_syscall_64+0xd1/0x1b0 [   95.890755]  entry_SYSCALL_64_after_hwframe+0x67/0x6f [   95.890755] [   95.890755] The buggy address belongs to the object at ffff88800c388000 [   95.890755]  which belongs to the cache kmalloc-1k of size 1024 [   95.890755] The buggy address is located 128 bytes inside of [   95.890755]  freed 1024-byte region [ffff88800c388000, ffff88800c388400) [   95.890755] [   95.890755] The buggy address belongs to the physical page: [   95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388 [   95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [   95.890755] ano ---truncated---",null,[],[],[],[14],{"_key":15},"CVE-2024-27398",[17,19,21],{"_key":18},"DLA-3840-1",{"_key":20},"DLA-3843-1",{"_key":22},"DSA-5703-1",[],[],"2024-05-14T15:12:28.623Z","2026-04-28T20:27:48.945449Z",{"cisa_kev":28,"cisa_ransomware":28,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[30],{"url":31,"sources":32,"tags":34},"https://security-tracker.debian.org/tracker/CVE-2024-27398",[33],"osv_debian",[35],"Advisory",[],[],[39],{"source":33,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":40,"cvss_v4_0":9},{"baseScore":41,"baseSeverity":9,"vectorString":42,"impactScore":43,"exploitabilityScore":44},7.8,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",9.8,4.6,[46],{"ecosystem":47,"name":48,"vendor":49,"product":48,"cpe_part":9,"purl_type":50,"purl_namespace":49,"purl_name":48,"source":9,"versions":51},"Debian","linux","debian","deb",[52,58,61,64],{"version":53,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":56,"version_end_type":57,"fixed_in":9},"lt5_10_218_1",true,"ecosystem","5.10.218-1","excluding",{"version":59,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":60,"version_end_type":57,"fixed_in":9},"lt6_1_94_1","6.1.94-1",{"version":62,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":63,"version_end_type":57,"fixed_in":9},"lt6_8_11_1","6.8.11-1",{"version":62,"is_range":54,"range_type":55,"version_start":9,"version_start_type":9,"version_end":63,"version_end_type":57,"fixed_in":9}]