CVE-2025-21936 Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected()

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Add check for mgmtallocskb in mgmtdeviceconnected Add check for the return value of mgmtallocskb in mgmtdeviceconnected to prevent null pointer dereference...

Linux Distros Unpatched Vulnerability : CVE-2024-58013

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Bluetooth: MGMT: Fix slab-use-after-free Read in mgmtremoveadvmonitorsync This fixes the following crash:...

CVE-2024-57988

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btbcm: Fix NULL deref in btbcmgetboardname devmkstrdup can return a NULL pointer on failure,but this returned value in btbcmgetboardname is not checked. Add NULL check in btbcmgetboardname, to handle kernel NULL pointe...

CVE-2022-49470

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtksdio: fix use-after-free at btmtksdiorecvevent We should not access skb buffer data anymore after hcirecvframe was called. 39.634809 BUG: KASAN: use-after-free in btmtksdiorecvevent+0x1b0 39.634855 Read of size 1 ...

CVE-2022-49555 Bluetooth: hci_qca: Use del_timer_sync() before freeing

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hciqca: Use deltimersync before freeing While looking at a crash report on a timer list being corrupted, which usually happens when a timer is freed while still active. This is commonly triggered by code calling deltim...

CVE-2022-49474

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix dangling scoconn and use-after-free in scosocktimeout Connecting the same socket twice consecutively in scosockconnect could lead to a race condition where two scoconn objects are created but only one is associated...

CVE-2024-57879

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: iso: Always release hdev at the end of isolistenbis Since hcigetroute holds the device before returning, the hdev should be released with hcidevput at the end of isolistenbis even if the function returns with an error...

CVE-2024-56757 Bluetooth: btusb: mediatek: add intf release flow when usb disconnect

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: add intf release flow when usb disconnect MediaTek claim an special usb intr interface for ISO data transmission. The interface need to be released before unregistering hci device when usb disconnect...

CVE-2024-56604 Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc()

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcommsockalloc btsockalloc attaches allocated sk object to the provided sock object. If rfcommdlcalloc fails, we release the sk object, but leave the dangling pointer in th...

CVE-2024-53208 Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix slab-use-after-free Read in setpoweredsync This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in setpoweredsync+0x3a/0xc0...

SUSE CVE-2024-50124

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix UAF on isosocktimeout conn-sk maybe have been unlinked/freed while waiting for isoconnlock so this checks if the conn-sk is still valid by checking if it part of isosklist...

CVE-2022-48878

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hciqca: Fix driver shutdown on closed serdev The driver shutdown callback which sends EDLSOCRESET to the device over serdev should not be invoked when HCI device is not open e.g. if hcidevopensync failed, because the...

CVE-2024-41063

In CVE-2024-41063, the Linux kernel Bluetooth stack (hci_core) fixes a deadlock when unregistering a device. The root cause involves hci_unregister_dev() racing with hci_error_reset() and hdev->req_workqueue/destroy_workqueue(), where pending work items may still be running during destroy. The...

CVE-2024-36968

CVE-2024-36968 (Linux kernel) : A Bluetooth L2CAP issue in the kernel could cause div-by-zero and integer overflow due to hdev->le_mtu potentially being out of range. The fix moves MTU validation from hci_dev to hci_conn, halting connection setup when MTU is invalid, and adds validation in rea...

CVE-2024-36942

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

CVE-2023-52833

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: Add date-evtskb is NULL check fix crash because of null pointers 6104.969662 BUG: kernel NULL pointer dereference, address: 00000000000000c8 6104.969667 PF: supervisor read access in kernel mode 6104.969668 PF:...

UBUNTU-CVE-2024-35965

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix not validating setsockopt user input Check user input length before copying data...

The vulnerability of the l2cap_chan_timeout() function in the Linux kernel’s Bluetooth subsystem allows a hacker to trigger a service failure.

The vulnerability of the l2capchantimeout function in the net/bluetooth/l2capcore.c module of the Linux kernel’s Bluetooth subsystem is related to the swapping of the zero pointer due to concurrent access to resources race condition. Exploiting this vulnerability could allow a attacker to cause...

CVE-2021-34981 Linux Kernel Bluetooth CMTP Module Double Free Privilege Escalation Vulnerability

Linux Kernel Bluetooth CMTP Module Double Free Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to...

CVE-2024-26959 Bluetooth: btnxpuart: Fix btnxpuart_close

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix btnxpuartclose Fix scheduling while atomic BUG in btnxpuartclose, properly purge the transmit queue and free the receive skb. 10.973809 BUG: scheduling while atomic: kworker/u9:0/80/0x00000002...