{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49470","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T02:08:31.578Z","datePublished":"2025-02-26T02:13:14.024Z","dateUpdated":"2025-05-04T08:38:25.391Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:38:25.391Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event\n\nWe should not access skb buffer data anymore after hci_recv_frame was\ncalled.\n\n[   39.634809] BUG: KASAN: use-after-free in btmtksdio_recv_event+0x1b0\n[   39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker\n[   39.634962] Call trace:\n[   39.634974]  dump_backtrace+0x0/0x3b8\n[   39.634999]  show_stack+0x20/0x2c\n[   39.635016]  dump_stack_lvl+0x60/0x78\n[   39.635040]  print_address_description+0x70/0x2f0\n[   39.635062]  kasan_report+0x154/0x194\n[   39.635079]  __asan_report_load1_noabort+0x44/0x50\n[   39.635099]  btmtksdio_recv_event+0x1b0/0x1c4\n[   39.635129]  btmtksdio_txrx_work+0x6cc/0xac4\n[   39.635157]  process_one_work+0x560/0xc5c\n[   39.635177]  worker_thread+0x7ec/0xcc0\n[   39.635195]  kthread+0x2d0/0x3d0\n[   39.635215]  ret_from_fork+0x10/0x20\n[   39.635247] Allocated by task 0:\n[   39.635260] (stack is not available)\n[   39.635281] Freed by task 2392:\n[   39.635295]  kasan_save_stack+0x38/0x68\n[   39.635319]  kasan_set_track+0x28/0x3c\n[   39.635338]  kasan_set_free_info+0x28/0x4c\n[   39.635357]  ____kasan_slab_free+0x104/0x150\n[   39.635374]  __kasan_slab_free+0x18/0x28\n[   39.635391]  slab_free_freelist_hook+0x114/0x248\n[   39.635410]  kfree+0xf8/0x2b4\n[   39.635427]  skb_free_head+0x58/0x98\n[   39.635447]  skb_release_data+0x2f4/0x410\n[   39.635464]  skb_release_all+0x50/0x60\n[   39.635481]  kfree_skb+0xc8/0x25c\n[   39.635498]  hci_event_packet+0x894/0xca4 [bluetooth]\n[   39.635721]  hci_rx_work+0x1c8/0x68c [bluetooth]\n[   39.635925]  process_one_work+0x560/0xc5c\n[   39.635951]  worker_thread+0x7ec/0xcc0\n[   39.635970]  kthread+0x2d0/0x3d0\n[   39.635990]  ret_from_fork+0x10/0x20\n[   39.636021] The buggy address belongs to the object at ffffff80cf28a600\n                which belongs to the cache kmalloc-512 of size 512\n[   39.636039] The buggy address is located 13 bytes inside of\n                512-byte region [ffffff80cf28a600, ffffff80cf28a800)"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/bluetooth/btmtksdio.c"],"versions":[{"version":"9aebfd4a2200ab8075e44379c758bccefdc589bb","lessThan":"b3cec8a42fcd11d05313c724f27e01b1db77522c","status":"affected","versionType":"git"},{"version":"9aebfd4a2200ab8075e44379c758bccefdc589bb","lessThan":"02ba31e09a26e8cd4582ac8e6163d80284997727","status":"affected","versionType":"git"},{"version":"9aebfd4a2200ab8075e44379c758bccefdc589bb","lessThan":"01c6a899fa6be4f4cbf60c4f44f0f6691155415f","status":"affected","versionType":"git"},{"version":"9aebfd4a2200ab8075e44379c758bccefdc589bb","lessThan":"0fab6361c4ba17d1b43a991bef4238a3c1754d35","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/bluetooth/btmtksdio.c"],"versions":[{"version":"5.2","status":"affected"},{"version":"0","lessThan":"5.2","status":"unaffected","versionType":"semver"},{"version":"5.15.54","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.17.14","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18.3","lessThanOrEqual":"5.18.*","status":"unaffected","versionType":"semver"},{"version":"5.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.15.54"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.17.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.18.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/b3cec8a42fcd11d05313c724f27e01b1db77522c"},{"url":"https://git.kernel.org/stable/c/02ba31e09a26e8cd4582ac8e6163d80284997727"},{"url":"https://git.kernel.org/stable/c/01c6a899fa6be4f4cbf60c4f44f0f6691155415f"},{"url":"https://git.kernel.org/stable/c/0fab6361c4ba17d1b43a991bef4238a3c1754d35"}],"title":"Bluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2022-49470","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-02-27T18:15:58.795301Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-27T18:22:32.566Z"}}]}}