CVE-2023-53762
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-53762
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53762.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-53762
- Downstream
- Published
- 2025-12-08T01:19:23.927Z
- Modified
- 2025-12-08T03:33:11.207098Z
- Summary
- Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hcisync: Fix UAF in hcidisconnectallsync
Use-after-free can occur in hcidisconnectall_sync if a connection is deleted by concurrent processing of a controller event.
To prevent this the code now tries to iterate over the list backwards to ensure the links are cleanup before its parents, also it no longer relies on a cursor, instead it always uses the last element since hciabortconnsync is guaranteed to call hciconn_del.
UAF crash log:
BUG: KASAN: slab-use-after-free in hcisetpoweredsync (net/bluetooth/hcisync.c:5424) [bluetooth] Read of size 8 at addr ffff888009d9c000 by task kworker/u9:0/124
CPU: 0 PID: 124 Comm: kworker/u9:0 Tainted: G W 6.5.0-rc1+ #10 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: hci0 hcicmdsyncwork [bluetooth] Call Trace: <TASK> dumpstacklvl+0x5b/0x90 printreport+0xcf/0x670 ? _virtaddrvalid+0xdd/0x160 ? hcisetpoweredsync+0x2c9/0x4a0 [bluetooth] kasanreport+0xa6/0xe0 ? hcisetpoweredsync+0x2c9/0x4a0 [bluetooth] ? _pfxsetpoweredsync+0x10/0x10 [bluetooth] hcisetpoweredsync+0x2c9/0x4a0 [bluetooth] ? _pfxhcisetpoweredsync+0x10/0x10 [bluetooth] ? _pfxlockrelease+0x10/0x10 ? _pfxsetpoweredsync+0x10/0x10 [bluetooth] hcicmdsyncwork+0x137/0x220 [bluetooth] processonework+0x526/0x9d0 ? _pfxprocessonework+0x10/0x10 ? _pfxdorawspinlock+0x10/0x10 ? markheldlocks+0x1a/0x90 workerthread+0x92/0x630 ? _pfxworkerthread+0x10/0x10 kthread+0x196/0x1e0 ? _pfxkthread+0x10/0x10 retfrom_fork+0x2c/0x50 </TASK>
Allocated by task 1782: kasansavestack+0x33/0x60 kasansettrack+0x25/0x30 _kasankmalloc+0x8f/0xa0 hciconnadd+0xa5/0xa80 [bluetooth] hcibindcis+0x881/0x9b0 [bluetooth] isoconnectcis+0x121/0x520 [bluetooth] isosockconnect+0x3f6/0x790 [bluetooth] _sysconnect+0x109/0x130 _x64sysconnect+0x40/0x50 dosyscall64+0x60/0x90 entrySYSCALL64after_hwframe+0x6e/0xd8
Freed by task 695: kasansavestack+0x33/0x60 kasansettrack+0x25/0x30 kasansavefreeinfo+0x2b/0x50 _kasanslabfree+0x10a/0x180 _kmemcachefree+0x14d/0x2e0 devicerelease+0x5d/0xf0 kobjectput+0xdf/0x270 hcidisconncompleteevt+0x274/0x3a0 [bluetooth] hcieventpacket+0x579/0x7e0 [bluetooth] hcirxwork+0x287/0xaa0 [bluetooth] processonework+0x526/0x9d0 worker_thread+0x92/0x630 kthread+0x196/0x1e0
retfromfork+0x2c/0x50
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53762.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/94d9ba9f9888b748d4abd2aa1547af56ae85f772
- https://git.kernel.org/stable/c/a30c074f0b5b7f909a15c978fbc96a29e2f94e42
- https://git.kernel.org/stable/c/ba3ba53ce1f76fc372b8f918fece4f9b1e41acd4
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53762.json
- https://nvd.nist.gov/vuln/detail/CVE-2023-53762
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced182ee45da083db4e3e621541ccf255bfa9652214Fixeda30c074f0b5b7f909a15c978fbc96a29e2f94e42Fixedba3ba53ce1f76fc372b8f918fece4f9b1e41acd4Fixed94d9ba9f9888b748d4abd2aa1547af56ae85f772