CVE-2024-36013
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-36013
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-36013.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-36013
- Downstream
- Related
- Published
- 2024-05-23T07:03:07Z
- Modified
- 2025-10-30T22:26:49.856556Z
- Severity
-
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()
Extend a critical section to prevent chan from early freeing. Also make the l2cap_connect() return type void. Nothing is using the returned value but it is ugly to return a potentially freed pointer. Making it void will help with backports because earlier kernels did use the return value. Now the compile will break for kernels where this patch is not a complete fix.
Call stack summary:
[use] l2capbredrsigcmd l2capconnect ┌ mutexlock(&conn->chanlock); │ chan = pchan->ops->newconnection(pchan); <- alloc chan │ _l2capchanadd(conn, chan); │ l2capchanhold(chan); │ listadd(&chan->list, &conn->chanl); ... (1) └ mutexunlock(&conn->chanlock); chan->conf_state ... (4) <- use after free
[free] l2capconndel ┌ mutexlock(&conn->chanlock); │ foreach chan in conn->chanl: ... (2) │ l2capchanput(chan); │ l2capchandestroy │ kfree(chan) ... (3) <- chan freed └ mutexunlock(&conn->chan_lock);
================================================================== BUG: KASAN: slab-use-after-free in instrumentatomicread include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in testbit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-use-after-free in l2capconnect+0xa67/0x11a0 net/bluetooth/l2capcore.c:4260 Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311
- References
-
- http://www.openwall.com/lists/oss-security/2024/05/30/1
- http://www.openwall.com/lists/oss-security/2024/05/30/2
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/4d7b41c0e43995b0e992b9f8903109275744b658
- https://git.kernel.org/stable/c/826af9d2f69567c646ff46d10393d47e30ad23c6
- https://git.kernel.org/stable/c/cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced73ffa904b78287f6acf8797e040150aa26a4af4aFixedcfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced73ffa904b78287f6acf8797e040150aa26a4af4aFixed826af9d2f69567c646ff46d10393d47e30ad23c6
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced73ffa904b78287f6acf8797e040150aa26a4af4aFixed4d7b41c0e43995b0e992b9f8903109275744b658
Affected versions
v2.*
v2.6.39
v2.6.39-rc2
v2.6.39-rc3
v2.6.39-rc4
v2.6.39-rc5
v2.6.39-rc6
v2.6.39-rc7
v3.*
v3.0
v3.0-rc1
v3.0-rc2
v3.0-rc3
v3.0-rc4
v3.0-rc5
v3.0-rc6
v3.0-rc7
v3.1
v3.1-rc1
v3.1-rc10
v3.1-rc2
v3.1-rc3
v3.1-rc4
v3.1-rc5
v3.1-rc6
v3.1-rc7
v3.1-rc8
v3.1-rc9
v3.10
v3.10-rc1
v3.10-rc2
v3.10-rc3
v3.10-rc4
v3.10-rc5
v3.10-rc6
v3.10-rc7
v3.11
v3.11-rc1
v3.11-rc2
v3.11-rc3
v3.11-rc4
v3.11-rc5
v3.11-rc6
v3.11-rc7
v3.12
v3.12-rc1
v3.12-rc2
v3.12-rc3
v3.12-rc4
v3.12-rc5
v3.12-rc6
v3.12-rc7
v3.13
v3.13-rc1
v3.13-rc2
v3.13-rc3
v3.13-rc4
v3.13-rc5
v3.13-rc6
v3.13-rc7
v3.13-rc8
v3.14
v3.14-rc1
v3.14-rc2
v3.14-rc3
v3.14-rc4
v3.14-rc5
v3.14-rc6
v3.14-rc7
v3.14-rc8
v3.15
v3.15-rc1
v3.15-rc2
v3.15-rc3
v3.15-rc4
v3.15-rc5
v3.15-rc6
v3.15-rc7
v3.15-rc8
v3.16
v3.16-rc1
v3.16-rc2
v3.16-rc3
v3.16-rc4
v3.16-rc5
v3.16-rc6
v3.16-rc7
v3.17
v3.17-rc1
v3.17-rc2
v3.17-rc3
v3.17-rc4
v3.17-rc5
v3.17-rc6
v3.17-rc7
v3.18
v3.18-rc1
v3.18-rc2
v3.18-rc3
v3.18-rc4
v3.18-rc5
v3.18-rc6
v3.18-rc7
v3.19
v3.19-rc1
v3.19-rc2
v3.19-rc3
v3.19-rc4
v3.19-rc5
v3.19-rc6
v3.19-rc7
v3.2
v3.2-rc1
v3.2-rc2
v3.2-rc3
v3.2-rc4
v3.2-rc5
v3.2-rc6
v3.2-rc7
v3.3
v3.3-rc1
v3.3-rc2
v3.3-rc3
v3.3-rc4
v3.3-rc5
v3.3-rc6
v3.3-rc7
v3.4
v3.4-rc1
v3.4-rc2
v3.4-rc3
v3.4-rc4
v3.4-rc5
v3.4-rc6
v3.4-rc7
v3.5
v3.5-rc1
v3.5-rc2
v3.5-rc3
v3.5-rc4
v3.5-rc5
v3.5-rc6
v3.5-rc7
v3.6
v3.6-rc1
v3.6-rc2
v3.6-rc3
v3.6-rc4
v3.6-rc5
v3.6-rc6
v3.6-rc7
v3.7
v3.7-rc1
v3.7-rc2
v3.7-rc3
v3.7-rc4
v3.7-rc5
v3.7-rc6
v3.7-rc7
v3.7-rc8
v3.8
v3.8-rc1
v3.8-rc2
v3.8-rc3
v3.8-rc4
v3.8-rc5
v3.8-rc6
v3.8-rc7
v3.9
v3.9-rc1
v3.9-rc2
v3.9-rc3
v3.9-rc4
v3.9-rc5
v3.9-rc6
v3.9-rc7
v3.9-rc8
v4.*
v4.0
v4.0-rc1
v4.0-rc2
v4.0-rc3
v4.0-rc4
v4.0-rc5
v4.0-rc6
v4.0-rc7
v4.1
v4.1-rc1
v4.1-rc2
v4.1-rc3
v4.1-rc4
v4.1-rc5
v4.1-rc6
v4.1-rc7
v4.1-rc8
v4.10
v4.10-rc1
v4.10-rc2
v4.10-rc3
v4.10-rc4
v4.10-rc5
v4.10-rc6
v4.10-rc7
v4.10-rc8
v4.11
v4.11-rc1
v4.11-rc2
v4.11-rc3
v4.11-rc4
v4.11-rc5
v4.11-rc6
v4.11-rc7
v4.11-rc8
v4.12
v4.12-rc1
v4.12-rc2
v4.12-rc3
v4.12-rc4
v4.12-rc5
v4.12-rc6
v4.12-rc7
v4.13
v4.13-rc1
v4.13-rc2
v4.13-rc3
v4.13-rc4
v4.13-rc5
v4.13-rc6
v4.13-rc7
v4.14
v4.14-rc1
v4.14-rc2
v4.14-rc3
v4.14-rc4
v4.14-rc5
v4.14-rc6
v4.14-rc7
v4.14-rc8
v4.15
v4.15-rc1
v4.15-rc2
v4.15-rc3
v4.15-rc4
v4.15-rc5
v4.15-rc6
v4.15-rc7
v4.15-rc8
v4.15-rc9
v4.16
v4.16-rc1
v4.16-rc2
v4.16-rc3
v4.16-rc4
v4.16-rc5
v4.16-rc6
v4.16-rc7
v4.17
v4.17-rc1
v4.17-rc2
v4.17-rc3
v4.17-rc4
v4.17-rc5
v4.17-rc6
v4.17-rc7
v4.18
v4.18-rc1
v4.18-rc2
v4.18-rc3
v4.18-rc4
v4.18-rc5
v4.18-rc6
v4.18-rc7
v4.18-rc8
v4.19
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.2
v4.2-rc1
v4.2-rc2
v4.2-rc3
v4.2-rc4
v4.2-rc5
v4.2-rc6
v4.2-rc7
v4.2-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7
v4.3
v4.3-rc1
v4.3-rc2
v4.3-rc3
v4.3-rc4
v4.3-rc5
v4.3-rc6
v4.3-rc7
v4.4
v4.4-rc1
v4.4-rc2
v4.4-rc3
v4.4-rc4
v4.4-rc5
v4.4-rc6
v4.4-rc7
v4.4-rc8
v4.5
v4.5-rc1
v4.5-rc2
v4.5-rc3
v4.5-rc4
v4.5-rc5
v4.5-rc6
v4.5-rc7
v4.6
v4.6-rc1
v4.6-rc2
v4.6-rc3
v4.6-rc4
v4.6-rc5
v4.6-rc6
v4.6-rc7
v4.7
v4.7-rc1
v4.7-rc2
v4.7-rc3
v4.7-rc4
v4.7-rc5
v4.7-rc6
v4.7-rc7
v4.8
v4.8-rc1
v4.8-rc2
v4.8-rc3
v4.8-rc4
v4.8-rc5
v4.8-rc6
v4.8-rc7
v4.8-rc8
v4.9
v4.9-rc1
v4.9-rc2
v4.9-rc3
v4.9-rc4
v4.9-rc5
v4.9-rc6
v4.9-rc7
v4.9-rc8
v5.*
v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.10
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.8.8
v6.8.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
Database specific
vanir_signatures
[
{
"digest": {
"length": 3053.0,
"function_hash": "246981553662201841153957827037419308884"
},
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_connect"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4d7b41c0e43995b0e992b9f8903109275744b658",
"id": "CVE-2024-36013-283b05c8",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"216375717422549860408192354593323189894",
"23900696749263022884795352863207778227",
"105914298259188537450292867085459240490",
"308282589289322510363247024256371083281",
"264885713325477104457328682345652997752",
"165938746058252904747623681037180880770",
"321101580678447991812783194849548123963",
"239467983888671578152303929808000937563",
"65978536021795811297021724348075402688",
"151743590662336340404126252282592912939",
"241921427207600669279615837620989072115",
"239409782948611592579014065046550904777",
"291854006330047590137980307779264284676",
"227176899615270123034945454522038736646",
"190268633123627826075428139703500942803",
"152585511663439909537632467623675238842",
"165198765786842959769157280372969986529",
"16594563306773867011804310248707682485",
"286139408677902614120773833559665847089",
"157672344917527926826029335217600731960",
"339813131835318437100150781638007145239",
"260326705004890858871953511939189857545",
"23842695864096845240787993356895617770",
"257526218448431247741191888884476730300",
"309201645531959891932268795799873332857",
"321817408291178054510156971203499931940",
"229318690409252345806809614687322656414",
"124297069260508587188200133823420686745",
"35984587845791665935318509525783097624",
"80298463559340151165385644066545844485"
],
"threshold": 0.9
},
"target": {
"file": "net/bluetooth/l2cap_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5",
"id": "CVE-2024-36013-537550b2",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line"
},
{
"digest": {
"length": 3053.0,
"function_hash": "246981553662201841153957827037419308884"
},
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_connect"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@826af9d2f69567c646ff46d10393d47e30ad23c6",
"id": "CVE-2024-36013-54b1d964",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"216375717422549860408192354593323189894",
"23900696749263022884795352863207778227",
"105914298259188537450292867085459240490",
"308282589289322510363247024256371083281",
"264885713325477104457328682345652997752",
"165938746058252904747623681037180880770",
"321101580678447991812783194849548123963",
"239467983888671578152303929808000937563",
"65978536021795811297021724348075402688",
"151743590662336340404126252282592912939",
"241921427207600669279615837620989072115",
"239409782948611592579014065046550904777",
"291854006330047590137980307779264284676",
"227176899615270123034945454522038736646",
"190268633123627826075428139703500942803",
"152585511663439909537632467623675238842",
"165198765786842959769157280372969986529",
"16594563306773867011804310248707682485",
"286139408677902614120773833559665847089",
"157672344917527926826029335217600731960",
"339813131835318437100150781638007145239",
"260326705004890858871953511939189857545",
"23842695864096845240787993356895617770",
"257526218448431247741191888884476730300",
"309201645531959891932268795799873332857",
"321817408291178054510156971203499931940",
"229318690409252345806809614687322656414",
"124297069260508587188200133823420686745",
"35984587845791665935318509525783097624",
"80298463559340151165385644066545844485"
],
"threshold": 0.9
},
"target": {
"file": "net/bluetooth/l2cap_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4d7b41c0e43995b0e992b9f8903109275744b658",
"id": "CVE-2024-36013-90182ff1",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line"
},
{
"digest": {
"line_hashes": [
"216375717422549860408192354593323189894",
"23900696749263022884795352863207778227",
"105914298259188537450292867085459240490",
"308282589289322510363247024256371083281",
"264885713325477104457328682345652997752",
"165938746058252904747623681037180880770",
"321101580678447991812783194849548123963",
"239467983888671578152303929808000937563",
"65978536021795811297021724348075402688",
"151743590662336340404126252282592912939",
"241921427207600669279615837620989072115",
"239409782948611592579014065046550904777",
"291854006330047590137980307779264284676",
"227176899615270123034945454522038736646",
"190268633123627826075428139703500942803",
"152585511663439909537632467623675238842",
"165198765786842959769157280372969986529",
"16594563306773867011804310248707682485",
"286139408677902614120773833559665847089",
"157672344917527926826029335217600731960",
"339813131835318437100150781638007145239",
"260326705004890858871953511939189857545",
"23842695864096845240787993356895617770",
"257526218448431247741191888884476730300",
"309201645531959891932268795799873332857",
"321817408291178054510156971203499931940",
"229318690409252345806809614687322656414",
"124297069260508587188200133823420686745",
"35984587845791665935318509525783097624",
"80298463559340151165385644066545844485"
],
"threshold": 0.9
},
"target": {
"file": "net/bluetooth/l2cap_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@826af9d2f69567c646ff46d10393d47e30ad23c6",
"id": "CVE-2024-36013-9c9977f8",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line"
},
{
"digest": {
"length": 3053.0,
"function_hash": "246981553662201841153957827037419308884"
},
"target": {
"file": "net/bluetooth/l2cap_core.c",
"function": "l2cap_connect"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5",
"id": "CVE-2024-36013-bf6d0fa9",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function"
}
]