CVE-2023-53827

Vulnerability

Description

A use-after-free vulnerability exists in the Linux kernel's Bluetooth L2CAP implementation, specifically in the l2cap_disconnect_req and l2cap_disconnect_rsp functions. The root cause is that the code could reference a channel that is about to be destroyed without properly holding a reference to it, leading to a use-after-free condition. This is similar to a previously fixed issue in commit d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put") [1].

Exploitation

The vulnerability can be exploited by an attacker who is able to send crafted Bluetooth L2CAP disconnect requests or responses to a target system. The attack requires Bluetooth communication capabilities. The attack does not require authentication, as it can be triggered by an unauthenticated remote attacker within Bluetooth range. The flaw is in the handling of channel references during the disconnect procedure, where the code fails to use l2cap_chan_hold_unless_zero to prevent accessing a channel that is being freed [1].

Impact

Successful exploitation could lead to a denial of service (system crash) or potentially allow an attacker to execute arbitrary code in the context of the kernel. The use-after-free condition can corrupt kernel memory, which may be leveraged for privilege escalation or other malicious purposes.

Mitigation

The vulnerability has been patched in the Linux kernel. The fix involves using l2cap_chan_hold_unless_zero to ensure that a reference is held before accessing the channel, preventing the use-after-free. Users should apply the latest stable kernel updates to address this issue [1].