CVE-2022-49470

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49470
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49470.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49470
Downstream
Related
Published
2025-02-26T02:13:14Z
Modified
2025-10-15T22:23:27.740074Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Bluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btmtksdio: fix use-after-free at btmtksdiorecvevent

We should not access skb buffer data anymore after hcirecvframe was called.

[ 39.634809] BUG: KASAN: use-after-free in btmtksdiorecvevent+0x1b0 [ 39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker [ 39.634962] Call trace: [ 39.634974] dumpbacktrace+0x0/0x3b8 [ 39.634999] showstack+0x20/0x2c [ 39.635016] dumpstacklvl+0x60/0x78 [ 39.635040] printaddressdescription+0x70/0x2f0 [ 39.635062] kasanreport+0x154/0x194 [ 39.635079] asanreportload1noabort+0x44/0x50 [ 39.635099] btmtksdiorecvevent+0x1b0/0x1c4 [ 39.635129] btmtksdiotxrxwork+0x6cc/0xac4 [ 39.635157] processonework+0x560/0xc5c [ 39.635177] workerthread+0x7ec/0xcc0 [ 39.635195] kthread+0x2d0/0x3d0 [ 39.635215] retfromfork+0x10/0x20 [ 39.635247] Allocated by task 0: [ 39.635260] (stack is not available) [ 39.635281] Freed by task 2392: [ 39.635295] kasansavestack+0x38/0x68 [ 39.635319] kasansettrack+0x28/0x3c [ 39.635338] kasansetfreeinfo+0x28/0x4c [ 39.635357] kasanslabfree+0x104/0x150 [ 39.635374] _kasanslabfree+0x18/0x28 [ 39.635391] slabfreefreelisthook+0x114/0x248 [ 39.635410] kfree+0xf8/0x2b4 [ 39.635427] skbfreehead+0x58/0x98 [ 39.635447] skbreleasedata+0x2f4/0x410 [ 39.635464] skbreleaseall+0x50/0x60 [ 39.635481] kfreeskb+0xc8/0x25c [ 39.635498] hcieventpacket+0x894/0xca4 [bluetooth] [ 39.635721] hcirxwork+0x1c8/0x68c [bluetooth] [ 39.635925] processonework+0x560/0xc5c [ 39.635951] workerthread+0x7ec/0xcc0 [ 39.635970] kthread+0x2d0/0x3d0 [ 39.635990] retfromfork+0x10/0x20 [ 39.636021] The buggy address belongs to the object at ffffff80cf28a600 which belongs to the cache kmalloc-512 of size 512 [ 39.636039] The buggy address is located 13 bytes inside of 512-byte region [ffffff80cf28a600, ffffff80cf28a800)

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9aebfd4a2200ab8075e44379c758bccefdc589bb
Fixed
b3cec8a42fcd11d05313c724f27e01b1db77522c
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9aebfd4a2200ab8075e44379c758bccefdc589bb
Fixed
02ba31e09a26e8cd4582ac8e6163d80284997727
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9aebfd4a2200ab8075e44379c758bccefdc589bb
Fixed
01c6a899fa6be4f4cbf60c4f44f0f6691155415f
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9aebfd4a2200ab8075e44379c758bccefdc589bb
Fixed
0fab6361c4ba17d1b43a991bef4238a3c1754d35

Affected versions

v5.*

v5.1
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1
v5.17.10
v5.17.11
v5.17.12
v5.17.13
v5.17.2
v5.17.3
v5.17.4
v5.17.5
v5.17.6
v5.17.7
v5.17.8
v5.17.9
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.18.1
v5.18.2
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.2.0
Fixed
5.15.54
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.17.14
Type
ECOSYSTEM
Events
Introduced
5.18.0
Fixed
5.18.3