CVE-2024-27399 — NULL Pointer Dereference in Linux
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 98.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 14
Latest updateSep 18
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
There is a race condition between l2cap_chan_timeout() and
l2cap_chan_del(). When we use l2cap_chan_del() to delete the
channel, the chan->conn will be set to null. But the conn could
be dereferenced again in the mutex_lock() of l2cap_chan_timeout().
As a result the null pointer dereference bug will happen. The
KASAN report triggered by POC is shown below:
[ 472.07458…
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6
Affected Packages3 packages
▶CVEListV5linux/linux3df91ea20e744344100b10ae69a17211fcf5b207 — e137e2ba96e51902dc2878131823a96bf8e638ae+8
Also affects: Debian Linux 10.0, Fedora 39, 40
Patches
🔴Vulnerability Details
3OSV▶
CVE-2024-27399: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout There is a race conditi↗2024-05-14
GHSA▶
GHSA-3p2h-8x46-gvg6: In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
There is a race condi↗2024-05-14
📋Vendor Advisories
19💬Community
1Bugzilla
▶