Cyber Resilience

CVE-2022-49136

High

Published: 26 February 2025

Published
26 February 2025
Modified
25 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49136 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2022-49136 is a use-after-free (CWE-416) vulnerability in the Linux kernel's Bluetooth subsystem, specifically within the hci_sync component. The flaw occurs because the hci_cmd_sync_queue function does not return an error when the HCI_UNREGISTER flag is set, which indicates that hci_unregister_dev has been called. This can lead to a use-after-free of the hdev structure after a timeout, once the device has been freed. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering command queuing in hci_sync after HCI_UNREGISTER is set. Successful exploitation could allow the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution or system crashes due to the use-after-free condition.

Mitigation is provided through kernel patches, including commits 0b94f2651f56b9e4aa5f012b0d7eb57308c773cf and 1c69ef84a808676cceb69210addf5df45b741323 available at git.kernel.org/stable. These fixes ensure that hci_cmd_sync_queue returns an error when HCI_UNREGISTER is set, preventing command queuing after device unregister and avoiding the subsequent use-after-free. Security practitioners should apply the relevant stable kernel updates to affected systems.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set hci_cmd_sync_queue shall return an error if HCI_UNREGISTER flag has been set as that means hci_unregister_dev has been called so it will…

more

likely cause a uaf after the timeout as the hdev will be freed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local use-after-free in kernel Bluetooth hci_sync directly enables exploitation for privilege escalation to achieve arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.17 — 5.17.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of known flaws by applying kernel patches that prevent command queuing after HCI_UNREGISTER, eliminating the use-after-free in Bluetooth hci_sync.

prevent

Implements memory safeguards such as ASLR and DEP that protect against exploitation of the use-after-free vulnerability through unauthorized code execution or control flow hijacking.

prevent

Enforces least functionality by disabling unnecessary Bluetooth capabilities, reducing the attack surface for local exploitation of the hci_sync use-after-free.

References