VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54210

CVE-2023-54210

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor()

KASAN reports that there's a use-after-free in hci_remove_adv_monitor(). Trawling through the disassembly, you can see that the complaint is from the access in bt_dev_dbg() under the HCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because msft_remove_monitor() can end up freeing the monitor structure. Specifically: hci_remove_adv_monitor() -> msft_remove_monitor() -> msft_remove_monitor_sync() -> msft_le_cancel_monitor_advertisement_cb() -> hci_free_adv_monitor()

Let's fix the problem by just stashing the relevant data when it's still valid.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel Bluetooth subsystem, a use-after-free bug in hci_remove_adv_monitor() occurs when msft_remove_monitor() frees the monitor before a debugging access.

Vulnerability

CVE-2023-54210 describes a use-after-free vulnerability in the Linux kernel's Bluetooth subsystem, specifically in the hci_remove_adv_monitor() function. KASAN reports the issue originates from a debug statement (bt_dev_dbg()) that accesses the monitor structure after it has been freed by msft_remove_monitor(). The problematic call chain is: hci_remove_adv_monitor() -> msft_remove_monitor() -> msft_remove_monitor_sync() -> msft_le_cancel_monitor_advertisement_cb() -> hci_free_adv_monitor(). The pointer becomes dangling before the debug print completes.

Exploitation

No special privileges beyond local access are required to trigger the path, as the Bluetooth subsystem is reachable from user space via HCI sockets. An attacker could craft a sequence of monitor removal operations that causes the kernel to read freed memory, leading to a crash or potentially arbitrary code execution. The issue is exploitable when the Bluetooth hardware supports the Microsoft vendor extension (HCI_ADV_MONITOR_EXT_MSFT).

Impact

Successful exploitation could lead to a denial of service (system crash) or, in more severe cases, privilege escalation or information disclosure due to corrupted kernel memory. The CVSS score and severity were not provided, but use-after-free bugs in the kernel are generally rated high to critical.

Mitigation

The fix is to stash the relevant data before calling functions that may free the monitor. Both stable kernel commits [1] and [2] address this by reading the debug data earlier. Users should apply the latest stable kernel updates to resolve the vulnerability.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

3
0d4d6b083da9
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
bf00c2c8f625
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
de6dfcefd107
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.