CVE-2022-49136
Published: 26 February 2025
Summary
CVE-2022-49136 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2022-49136 is a use-after-free (CWE-416) vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the hci_sync component. The flaw occurs because the hci_cmd_sync_queue function does not return an error when the HCI_UNREGISTER flag is set, which indicates that hci_unregister_dev has been called. This can lead to a use-after-free of the hdev structure after a timeout, once the device has been freed. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by triggering command queuing in hci_sync after HCI_UNREGISTER is set. Successful exploitation could allow the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution or system crashes due to the use-after-free condition.
Mitigation is provided through kernel patches, including commits 0b94f2651f56b9e4aa5f012b0d7eb57308c773cf and 1c69ef84a808676cceb69210addf5df45b741323 available at git.kernel.org/stable. These fixes ensure that hci_cmd_sync_queue returns an error when HCI_UNREGISTER is set, preventing command queuing after device unregister and avoiding the subsequent use-after-free. Security practitioners should apply the relevant stable kernel updates to affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-55087
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set hci_cmd_sync_queue shall return an error if HCI_UNREGISTER flag has been set as that means hci_unregister_dev has been called so it will…
more
likely cause a uaf after the timeout as the hdev will be freed.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free in kernel Bluetooth hci_sync directly enables exploitation for privilege escalation to achieve arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of known flaws by applying kernel patches that prevent command queuing after HCI_UNREGISTER, eliminating the use-after-free in Bluetooth hci_sync.
Implements memory safeguards such as ASLR and DEP that protect against exploitation of the use-after-free vulnerability through unauthorized code execution or control flow hijacking.
Enforces least functionality by disabling unnecessary Bluetooth capabilities, reducing the attack surface for local exploitation of the hci_sync use-after-free.