{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49908", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-05-01T14:05:17.247Z", "datePublished": "2025-05-01T14:10:51.706Z", "dateUpdated": "2025-05-04T08:48:26.680Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:48:26.680Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix memory leak in vhci_write\n\nSyzkaller reports a memory leak as follows:\n====================================\nBUG: memory leak\nunreferenced object 0xffff88810d81ac00 (size 240):\n [...]\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<ffffffff838733d9>] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:418\n [<ffffffff833f742f>] alloc_skb include/linux/skbuff.h:1257 [inline]\n [<ffffffff833f742f>] bt_skb_alloc include/net/bluetooth/bluetooth.h:469 [inline]\n [<ffffffff833f742f>] vhci_get_user drivers/bluetooth/hci_vhci.c:391 [inline]\n [<ffffffff833f742f>] vhci_write+0x5f/0x230 drivers/bluetooth/hci_vhci.c:511\n [<ffffffff815e398d>] call_write_iter include/linux/fs.h:2192 [inline]\n [<ffffffff815e398d>] new_sync_write fs/read_write.c:491 [inline]\n [<ffffffff815e398d>] vfs_write+0x42d/0x540 fs/read_write.c:578\n [<ffffffff815e3cdd>] ksys_write+0x9d/0x160 fs/read_write.c:631\n [<ffffffff845e0645>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [<ffffffff845e0645>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [<ffffffff84600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n====================================\n\nHCI core will uses hci_rx_work() to process frame, which is queued to\nthe hdev->rx_q tail in hci_recv_frame() by HCI driver.\n\nYet the problem is that, HCI core may not free the skb after handling\nACL data packets. To be more specific, when start fragment does not\ncontain the L2CAP length, HCI core just copies skb into conn->rx_skb and\nfinishes frame process in l2cap_recv_acldata(), without freeing the skb,\nwhich triggers the above memory leak.\n\nThis patch solves it by releasing the relative skb, after processing\nthe above case in l2cap_recv_acldata()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "4d7ea8ee90e42fc75995f6fb24032d3233314528", "lessThan": "aa16cac06b752e5f609c106735bd7838f444784c", "status": "affected", "versionType": "git"}, {"version": "4d7ea8ee90e42fc75995f6fb24032d3233314528", "lessThan": "5b4f039a2f487c5edae681d763fe1af505f84c13", "status": "affected", "versionType": "git"}, {"version": "4d7ea8ee90e42fc75995f6fb24032d3233314528", "lessThan": "7c9524d929648935bac2bbb4c20437df8f9c3f42", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/l2cap_core.c"], "versions": [{"version": "5.12", "status": "affected"}, {"version": "0", "lessThan": "5.12", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.78", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.8", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "5.15.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.0.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/aa16cac06b752e5f609c106735bd7838f444784c"}, {"url": "https://git.kernel.org/stable/c/5b4f039a2f487c5edae681d763fe1af505f84c13"}, {"url": "https://git.kernel.org/stable/c/7c9524d929648935bac2bbb4c20437df8f9c3f42"}], "title": "Bluetooth: L2CAP: Fix memory leak in vhci_write", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "047D3644-B2CA-4427-B14E-7F2ADE40217B", "versionEndExcluding": "5.15.78", "versionStartIncluding": "5.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC9A754E-625D-42F3-87A7-960D643E2867", "versionEndExcluding": "6.0.8", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "17F0B248-42CF-4AE6-A469-BB1BAE7F4705", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*", "matchCriteriaId": "E2422816-0C14-4B5E-A1E6-A9D776E5C49B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix memory leak in vhci_write\n\nSyzkaller reports a memory leak as follows:\n====================================\nBUG: memory leak\nunreferenced object 0xffff88810d81ac00 (size 240):\n [...]\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<ffffffff838733d9>] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:418\n [<ffffffff833f742f>] alloc_skb include/linux/skbuff.h:1257 [inline]\n [<ffffffff833f742f>] bt_skb_alloc include/net/bluetooth/bluetooth.h:469 [inline]\n [<ffffffff833f742f>] vhci_get_user drivers/bluetooth/hci_vhci.c:391 [inline]\n [<ffffffff833f742f>] vhci_write+0x5f/0x230 drivers/bluetooth/hci_vhci.c:511\n [<ffffffff815e398d>] call_write_iter include/linux/fs.h:2192 [inline]\n [<ffffffff815e398d>] new_sync_write fs/read_write.c:491 [inline]\n [<ffffffff815e398d>] vfs_write+0x42d/0x540 fs/read_write.c:578\n [<ffffffff815e3cdd>] ksys_write+0x9d/0x160 fs/read_write.c:631\n [<ffffffff845e0645>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [<ffffffff845e0645>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [<ffffffff84600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n====================================\n\nHCI core will uses hci_rx_work() to process frame, which is queued to\nthe hdev->rx_q tail in hci_recv_frame() by HCI driver.\n\nYet the problem is that, HCI core may not free the skb after handling\nACL data packets. To be more specific, when start fragment does not\ncontain the L2CAP length, HCI core just copies skb into conn->rx_skb and\nfinishes frame process in l2cap_recv_acldata(), without freeing the skb,\nwhich triggers the above memory leak.\n\nThis patch solves it by releasing the relative skb, after processing\nthe above case in l2cap_recv_acldata()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: L2CAP: Se corrige la p\u00e9rdida de memoria en vhci_write Syzkaller informa de una p\u00e9rdida de memoria de la siguiente manera: ===================================== ERROR: p\u00e9rdida de memoria del objeto no referenciado 0xffff88810d81ac00 (tama\u00f1o 240): [...] volcado hexadecimal (primeros 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:418 [] alloc_skb include/linux/skbuff.h:1257 [en l\u00ednea] [] bt_skb_alloc include/net/bluetooth/bluetooth.h:469 [en l\u00ednea] [] vhci_get_user drivers/bluetooth/hci_vhci.c:391 [en l\u00ednea] [] vhci_write+0x5f/0x230 drivers/bluetooth/hci_vhci.c:511 [] call_write_iter include/linux/fs.h:2192 [en l\u00ednea] [] new_sync_write fs/read_write.c:491 [en l\u00ednea] [] vfs_write+0x42d/0x540 fs/read_write.c:578 [] ksys_write+0x9d/0x160 fs/read_write.c:631 [] do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [] entry_SYSCALL_64_after_hwframe+0x63/0xcd ====================================== El n\u00facleo HCI utiliza hci_rx_work() para procesar la trama, que el controlador HCI pone en cola en la cola hdev-&gt;rx_q en hci_recv_frame(). Sin embargo, el problema es que el n\u00facleo HCI puede no liberar el skb despu\u00e9s de procesar los paquetes de datos ACL. Para ser m\u00e1s espec\u00edficos, cuando el fragmento de inicio no contiene la longitud L2CAP, el n\u00facleo HCI simplemente copia el skb en conn-&gt;rx_skb y finaliza el procesamiento de la trama en l2cap_recv_acldata(), sin liberar el skb, lo que desencadena la p\u00e9rdida de memoria mencionada anteriormente. Este parche lo resuelve liberando el skb relativo, despu\u00e9s de procesar el caso mencionado en l2cap_recv_acldata()."}], "id": "CVE-2022-49908", "lastModified": "2025-05-07T13:30:18.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2025-05-01T15:16:15.920", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5b4f039a2f487c5edae681d763fe1af505f84c13"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7c9524d929648935bac2bbb4c20437df8f9c3f42"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/aa16cac06b752e5f609c106735bd7838f444784c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: Bluetooth: L2CAP: Fix memory leak in vhci_write", "id": "2363373", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363373"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: L2CAP: Fix memory leak in vhci_write\nSyzkaller reports a memory leak as follows:\n====================================\nBUG: memory leak\nunreferenced object 0xffff88810d81ac00 (size 240):\n[...]\nhex dump (first 32 bytes):\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace:\n[<ffffffff838733d9>] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:418\n[<ffffffff833f742f>] alloc_skb include/linux/skbuff.h:1257 [inline]\n[<ffffffff833f742f>] bt_skb_alloc include/net/bluetooth/bluetooth.h:469 [inline]\n[<ffffffff833f742f>] vhci_get_user drivers/bluetooth/hci_vhci.c:391 [inline]\n[<ffffffff833f742f>] vhci_write+0x5f/0x230 drivers/bluetooth/hci_vhci.c:511\n[<ffffffff815e398d>] call_write_iter include/linux/fs.h:2192 [inline]\n[<ffffffff815e398d>] new_sync_write fs/read_write.c:491 [inline]\n[<ffffffff815e398d>] vfs_write+0x42d/0x540 fs/read_write.c:578\n[<ffffffff815e3cdd>] ksys_write+0x9d/0x160 fs/read_write.c:631\n[<ffffffff845e0645>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n[<ffffffff845e0645>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n[<ffffffff84600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n====================================\nHCI core will uses hci_rx_work() to process frame, which is queued to\nthe hdev->rx_q tail in hci_recv_frame() by HCI driver.\nYet the problem is that, HCI core may not free the skb after handling\nACL data packets. To be more specific, when start fragment does not\ncontain the L2CAP length, HCI core just copies skb into conn->rx_skb and\nfinishes frame process in l2cap_recv_acldata(), without freeing the skb,\nwhich triggers the above memory leak.\nThis patch solves it by releasing the relative skb, after processing\nthe above case in l2cap_recv_acldata()."], "name": "CVE-2022-49908", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49908\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49908\nhttps://lore.kernel.org/linux-cve-announce/2025050104-CVE-2022-49908-ad9a@gregkh/T"], "threat_severity": "Moderate"}