{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-48947","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-08-22T01:27:53.624Z","datePublished":"2024-10-21T20:05:36.491Z","dateUpdated":"2025-12-23T13:21:14.514Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-12-23T13:21:14.514Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix u8 overflow\n\nBy keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases\nmultiple times and eventually it will wrap around the maximum number\n(i.e., 255).\nThis patch prevents this by adding a boundary check with\nL2CAP_MAX_CONF_RSP\n\nBtmon log:\nBluetooth monitor ver 5.64\n= Note: Linux version 6.1.0-rc2 (x86_64)                               0.264594\n= Note: Bluetooth subsystem version 2.22                               0.264636\n@ MGMT Open: btmon (privileged) version 1.22                  {0x0001} 0.272191\n= New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0)          [hci0] 13.877604\n@ RAW Open: 9496 (privileged) version 2.22                   {0x0002} 13.890741\n= Open Index: 00:00:00:00:00:00                                [hci0] 13.900426\n(...)\n> ACL Data RX: Handle 200 flags 0x00 dlen 1033             #32 [hci0] 14.273106\n        invalid packet size (12 != 1033)\n        08 00 01 00 02 01 04 00 01 10 ff ff              ............\n> ACL Data RX: Handle 200 flags 0x00 dlen 1547             #33 [hci0] 14.273561\n        invalid packet size (14 != 1547)\n        0a 00 01 00 04 01 06 00 40 00 00 00 00 00        ........@.....\n> ACL Data RX: Handle 200 flags 0x00 dlen 2061             #34 [hci0] 14.274390\n        invalid packet size (16 != 2061)\n        0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04  ........@.......\n> ACL Data RX: Handle 200 flags 0x00 dlen 2061             #35 [hci0] 14.274932\n        invalid packet size (16 != 2061)\n        0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00  ........@.......\n= bluetoothd: Bluetooth daemon 5.43                                   14.401828\n> ACL Data RX: Handle 200 flags 0x00 dlen 1033             #36 [hci0] 14.275753\n        invalid packet size (12 != 1033)\n        08 00 01 00 04 01 04 00 40 00 00 00              ........@..."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/l2cap_core.c"],"versions":[{"version":"f2fcfcd670257236ebf2088bbdf26f6a8ef459fe","lessThan":"49d5867819ab7c744852b45509e8469839c07e0e","status":"affected","versionType":"git"},{"version":"f2fcfcd670257236ebf2088bbdf26f6a8ef459fe","lessThan":"95f1847a361c7b4bf7d74c06ecb6968455082c1a","status":"affected","versionType":"git"},{"version":"f2fcfcd670257236ebf2088bbdf26f6a8ef459fe","lessThan":"ad528fde0702903208d0a79d88d5a42ae3fc235b","status":"affected","versionType":"git"},{"version":"f2fcfcd670257236ebf2088bbdf26f6a8ef459fe","lessThan":"9fdc79b571434af7bc742da40a3405f038b637a7","status":"affected","versionType":"git"},{"version":"f2fcfcd670257236ebf2088bbdf26f6a8ef459fe","lessThan":"f3fe6817156a2ad4b06f01afab04638a34d7c9a6","status":"affected","versionType":"git"},{"version":"f2fcfcd670257236ebf2088bbdf26f6a8ef459fe","lessThan":"19a78143961a197de8502f4f29c453b913dc3c29","status":"affected","versionType":"git"},{"version":"f2fcfcd670257236ebf2088bbdf26f6a8ef459fe","lessThan":"5550bbf709c323194881737fd290c4bada9e6ead","status":"affected","versionType":"git"},{"version":"f2fcfcd670257236ebf2088bbdf26f6a8ef459fe","lessThan":"bcd70260ef56e0aee8a4fc6cd214a419900b0765","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/l2cap_core.c"],"versions":[{"version":"2.6.32","status":"affected"},{"version":"0","lessThan":"2.6.32","status":"unaffected","versionType":"semver"},{"version":"4.9.337","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.303","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.270","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.229","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.161","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.85","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.0.15","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.32","versionEndExcluding":"4.9.337"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.32","versionEndExcluding":"4.14.303"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.32","versionEndExcluding":"4.19.270"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.32","versionEndExcluding":"5.4.229"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.32","versionEndExcluding":"5.10.161"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.32","versionEndExcluding":"5.15.85"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.32","versionEndExcluding":"6.0.15"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.32","versionEndExcluding":"6.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/49d5867819ab7c744852b45509e8469839c07e0e"},{"url":"https://git.kernel.org/stable/c/95f1847a361c7b4bf7d74c06ecb6968455082c1a"},{"url":"https://git.kernel.org/stable/c/ad528fde0702903208d0a79d88d5a42ae3fc235b"},{"url":"https://git.kernel.org/stable/c/9fdc79b571434af7bc742da40a3405f038b637a7"},{"url":"https://git.kernel.org/stable/c/f3fe6817156a2ad4b06f01afab04638a34d7c9a6"},{"url":"https://git.kernel.org/stable/c/19a78143961a197de8502f4f29c453b913dc3c29"},{"url":"https://git.kernel.org/stable/c/5550bbf709c323194881737fd290c4bada9e6ead"},{"url":"https://git.kernel.org/stable/c/bcd70260ef56e0aee8a4fc6cd214a419900b0765"}],"title":"Bluetooth: L2CAP: Fix u8 overflow","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2022-48947","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-10-22T13:22:07.757358Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-22T13:28:41.276Z"}}]}}