CVE-2023-53828

Root

Cause

The vulnerability is a use-after-free bug in the Bluetooth subsystem of the Linux kernel, specifically in hci_add_adv_monitor() within net/bluetooth/hci_sync.c. When adding an advertisement monitor, the function calls into msft_add_monitor_pattern(), which on an error path invokes msft_add_monitor_sync(), and then msft_le_monitor_advertisement_cb(). In that callback, hci_free_adv_monitor() is called, which frees the *monitor structure. However, a subsequent bt_dev_dbg() debug statement in hci_add_adv_monitor() still references monitor->handle, leading to a use-after-free condition [1].

Exploitation

Exploitation requires triggering the specific error path within the MSFT monitor addition flow. An attacker with the ability to craft Bluetooth advertisement monitoring requests (likely requiring local access or the CAP_NET_ADMIN capability) could cause the kernel to read freed memory. The bug is reachable when the Bluetooth stack receives certain malformed or error-inducing responses during the monitor setup process [1].

Impact

A use-after-free in kernel memory can lead to denial of service (system crash or kernel panic) or potentially arbitrary code execution, depending on heap layout and attacker control over freed memory. The kernel address sanitizer (KASAN) report confirms the bug, indicating memory safety hazards [1].

Mitigation

The fix, committed in kernel stable branch, replaces the dangling monitor->handle reference with a local handle variable to avoid accessing freed memory. Users should apply the patch from the stable kernel tree (commit 81d8e9f59df6) or update to a kernel version containing the fix [1].