Cyber Resilience

CVE-2022-49474

High

Published: 26 February 2025

Published
26 February 2025
Modified
24 March 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 17.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49474 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-49474 is a use-after-free vulnerability in the Linux kernel's Bluetooth subsystem, specifically affecting the SCO (Synchronous Connection-Oriented) socket handling in sco_sock_connect() and sco_sock_timeout(). The issue arises from a race condition when connecting the same socket twice consecutively, resulting in two sco_conn objects being created but only one associated with the socket. If the socket is closed before the SCO connection is established, the timer for the dangling sco_conn object is not canceled, leading to a use-after-free when the timer callback accesses the freed socket object. This is confirmed by a kernel call trace involving kasan_report and refcount_inc in sco_sock_timeout().

A local attacker with low privileges can exploit this vulnerability due to its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The attacker must trigger the race by rapidly connecting the same SCO socket twice and closing it before the connection establishes, causing the timer callback to access freed memory. Successful exploitation could result in high confidentiality, integrity, and availability impacts, such as arbitrary code execution, data corruption, or system denial of service.

Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, including 36c644c63bfcaee2d3a426f45e89a9cd09799318, 390d82733a953c1fabf3de9c9618091a7a9c90a6, 537f619dea4e3fa8ed1f8f938abffe3615794bcc, 65d347cb39e2e6bd0c2a745ad7c928998ebb0162, and 6f55fac0af3531cf60d11369454c41f5fc81ab3f, which fix the dangling sco_conn and use-after-free issues. Security practitioners should update affected Linux kernels to versions incorporating these fixes and monitor for Bluetooth SCO usage in local environments.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout Connecting the same socket twice consecutively in sco_sock_connect() could lead to a race condition where two sco_conn objects are created but only…

more

one is associated with the socket. If the socket is closed before the SCO connection is established, the timer associated with the dangling sco_conn object won't be canceled. As the sock object is being freed, the use-after-free problem happens when the timer callback function sco_sock_timeout() accesses the socket. Here's the call trace: dump_stack+0x107/0x163 ? refcount_inc+0x1c/ print_address_description.constprop.0+0x1c/0x47e ? refcount_inc+0x1c/0x7b kasan_report+0x13a/0x173 ? refcount_inc+0x1c/0x7b check_memory_region+0x132/0x139 refcount_inc+0x1c/0x7b sco_sock_timeout+0xb2/0x1ba process_one_work+0x739/0xbd1 ? cancel_delayed_work+0x13f/0x13f ? __raw_spin_lock_init+0xf0/0xf0 ? to_kthread+0x59/0x85 worker_thread+0x593/0x70e kthread+0x346/0x35a ? drain_workqueue+0x31a/0x31a ? kthread_bind+0x4b/0x4b ret_from_fork+0x1f/0x30

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in Bluetooth SCO enables privilege escalation to arbitrary code execution or DoS from low-privileged context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2023-52974Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2022-49176Same product: Linux Linux Kernel
CVE-2022-49291Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.4.284 — 4.5 · 4.9.238 — 4.9.318 · 4.14.247 — 4.14.283

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free vulnerability by requiring timely patching of the Linux kernel commits that fix the dangling sco_conn and uncanceled timer in Bluetooth SCO socket handling.

prevent

Eliminates exposure to the vulnerable Bluetooth SCO code path by configuring the system to provide only essential capabilities and disabling unnecessary Bluetooth functionality.

prevent

Mitigates exploitation of the use-after-free in sco_sock_timeout by enforcing memory protection mechanisms that restrict unauthorized access to freed kernel memory regions.

References