{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49474","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T02:08:31.579Z","datePublished":"2025-02-26T02:13:16.679Z","dateUpdated":"2025-05-04T12:44:51.218Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T12:44:51.218Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout\n\nConnecting the same socket twice consecutively in sco_sock_connect()\ncould lead to a race condition where two sco_conn objects are created\nbut only one is associated with the socket. If the socket is closed\nbefore the SCO connection is established, the timer associated with the\ndangling sco_conn object won't be canceled. As the sock object is being\nfreed, the use-after-free problem happens when the timer callback\nfunction sco_sock_timeout() accesses the socket. Here's the call trace:\n\ndump_stack+0x107/0x163\n? refcount_inc+0x1c/\nprint_address_description.constprop.0+0x1c/0x47e\n? refcount_inc+0x1c/0x7b\nkasan_report+0x13a/0x173\n? refcount_inc+0x1c/0x7b\ncheck_memory_region+0x132/0x139\nrefcount_inc+0x1c/0x7b\nsco_sock_timeout+0xb2/0x1ba\nprocess_one_work+0x739/0xbd1\n? cancel_delayed_work+0x13f/0x13f\n? __raw_spin_lock_init+0xf0/0xf0\n? to_kthread+0x59/0x85\nworker_thread+0x593/0x70e\nkthread+0x346/0x35a\n? drain_workqueue+0x31a/0x31a\n? kthread_bind+0x4b/0x4b\nret_from_fork+0x1f/0x30"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/sco.c"],"versions":[{"version":"22c66af08230a7030bdb88accffaec3424695631","lessThan":"9de3dc09e56f8deacd2bdbf4cecb71e11a312405","status":"affected","versionType":"git"},{"version":"0115a66ebb44bd9127ccb58cf43ed23c795eb1f0","lessThan":"7d61dbd7311ab978d8ddac1749a758de4de00374","status":"affected","versionType":"git"},{"version":"bc4b08383046f3282b6fa58cfcef05bd13e52b93","lessThan":"390d82733a953c1fabf3de9c9618091a7a9c90a6","status":"affected","versionType":"git"},{"version":"5ccb04c6e1fb7b97fa2e1785b67c3a1cb3527ef7","lessThan":"6f55fac0af3531cf60d11369454c41f5fc81ab3f","status":"affected","versionType":"git"},{"version":"059c2c09f4b7f97711d0d8eaa0b9877f5e7d0a75","lessThan":"36c644c63bfcaee2d3a426f45e89a9cd09799318","status":"affected","versionType":"git"},{"version":"e1dee2c1de2b4dd00eb44004a4bda6326ed07b59","lessThan":"65d347cb39e2e6bd0c2a745ad7c928998ebb0162","status":"affected","versionType":"git"},{"version":"e1dee2c1de2b4dd00eb44004a4bda6326ed07b59","lessThan":"537f619dea4e3fa8ed1f8f938abffe3615794bcc","status":"affected","versionType":"git"},{"version":"e1dee2c1de2b4dd00eb44004a4bda6326ed07b59","lessThan":"99df16007f4bbf9abfc3478cb17d10f0d7f8906e","status":"affected","versionType":"git"},{"version":"e1dee2c1de2b4dd00eb44004a4bda6326ed07b59","lessThan":"7aa1e7d15f8a5b65f67bacb100d8fc033b21efa2","status":"affected","versionType":"git"},{"version":"98ae477ed1540d3acbbf44d88ee237ad64275158","status":"affected","versionType":"git"},{"version":"f0c389e23e2475e5837716a629c81b7a9d90cc94","status":"affected","versionType":"git"},{"version":"0b9da4bde0d59c61b3675bdd80a05a726beb875a","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bluetooth/sco.c"],"versions":[{"version":"5.15","status":"affected"},{"version":"0","lessThan":"5.15","status":"unaffected","versionType":"semver"},{"version":"4.9.318","lessThanOrEqual":"4.9.*","status":"unaffected","versionType":"semver"},{"version":"4.14.283","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.247","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.198","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.121","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.46","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.17.14","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18.3","lessThanOrEqual":"5.18.*","status":"unaffected","versionType":"semver"},{"version":"5.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.283","versionEndExcluding":"4.9.318"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.247","versionEndExcluding":"4.14.283"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.207","versionEndExcluding":"4.19.247"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.146","versionEndExcluding":"5.4.198"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.65","versionEndExcluding":"5.10.121"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.15.46"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.17.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.18.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4.284"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9de3dc09e56f8deacd2bdbf4cecb71e11a312405"},{"url":"https://git.kernel.org/stable/c/7d61dbd7311ab978d8ddac1749a758de4de00374"},{"url":"https://git.kernel.org/stable/c/390d82733a953c1fabf3de9c9618091a7a9c90a6"},{"url":"https://git.kernel.org/stable/c/6f55fac0af3531cf60d11369454c41f5fc81ab3f"},{"url":"https://git.kernel.org/stable/c/36c644c63bfcaee2d3a426f45e89a9cd09799318"},{"url":"https://git.kernel.org/stable/c/65d347cb39e2e6bd0c2a745ad7c928998ebb0162"},{"url":"https://git.kernel.org/stable/c/537f619dea4e3fa8ed1f8f938abffe3615794bcc"},{"url":"https://git.kernel.org/stable/c/99df16007f4bbf9abfc3478cb17d10f0d7f8906e"},{"url":"https://git.kernel.org/stable/c/7aa1e7d15f8a5b65f67bacb100d8fc033b21efa2"}],"title":"Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2022-49474","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-02-27T18:15:54.463749Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-27T18:22:32.377Z"}}]}}