CVE-2024-26801
Published: Apr 4, 2024
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Avoid potential use-after-free in hci_error_reset While handling the HCI_EV_HARDWARE_ERROR event, if the underlying BT controller is not responding, the GPIO reset mechanism would free the hci_dev and lead to a use-after-free in hci_error_reset. Here's the call trace observed on a ChromeOS device with Intel AX201: queue_work_on+0x3e/0x6c __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>] ? init_wait_entry+0x31/0x31 __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>] hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>] process_one_work+0x1d8/0x33f worker_thread+0x21b/0x373 kthread+0x13a/0x152 ? pr_cont_work+0x54/0x54 ? kthread_blkcg+0x31/0x31 ret_from_fork+0x1f/0x30 This patch holds the reference count on the hci_dev while processing a HCI_EV_HARDWARE_ERROR event to avoid potential crash.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected c7741d16a57cbf97eebe53f27e8216b1ff20e20c - < e0b278650f07acf2e0932149183458468a731c03affected c7741d16a57cbf97eebe53f27e8216b1ff20e20c - < 98fb98fd37e42fd4ce13ff657ea64503e24b6090affected c7741d16a57cbf97eebe53f27e8216b1ff20e20c - < 6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2affected c7741d16a57cbf97eebe53f27e8216b1ff20e20c - < da4569d450b193e39e87119fd316c0291b585d14affected c7741d16a57cbf97eebe53f27e8216b1ff20e20c - < 45085686b9559bfbe3a4f41d3d695a520668f5e1+3 more versions |
Linux | Linux | affected 4.0unaffected 0 - < 4.0unaffected 4.19.309 - <= 4.19.*unaffected 5.4.271 - <= 5.4.*unaffected 5.10.212 - <= 5.10.*+5 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now