CVE-2022-49474

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-49474
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49474.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49474
Downstream
Related
Published
2025-02-26T02:13:16.679Z
Modified
2026-03-12T03:25:14.998569Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: fix dangling scoconn and use-after-free in scosock_timeout

Connecting the same socket twice consecutively in scosockconnect() could lead to a race condition where two scoconn objects are created but only one is associated with the socket. If the socket is closed before the SCO connection is established, the timer associated with the dangling scoconn object won't be canceled. As the sock object is being freed, the use-after-free problem happens when the timer callback function scosocktimeout() accesses the socket. Here's the call trace:

dumpstack+0x107/0x163 ? refcountinc+0x1c/ printaddressdescription.constprop.0+0x1c/0x47e ? refcountinc+0x1c/0x7b kasanreport+0x13a/0x173 ? refcountinc+0x1c/0x7b checkmemoryregion+0x132/0x139 refcountinc+0x1c/0x7b scosocktimeout+0xb2/0x1ba processonework+0x739/0xbd1 ? canceldelayedwork+0x13f/0x13f ? _rawspinlockinit+0xf0/0xf0 ? tokthread+0x59/0x85 workerthread+0x593/0x70e kthread+0x346/0x35a ? drainworkqueue+0x31a/0x31a ? kthreadbind+0x4b/0x4b retfromfork+0x1f/0x30

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49474.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
22c66af08230a7030bdb88accffaec3424695631
Fixed
9de3dc09e56f8deacd2bdbf4cecb71e11a312405
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0115a66ebb44bd9127ccb58cf43ed23c795eb1f0
Fixed
7d61dbd7311ab978d8ddac1749a758de4de00374
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bc4b08383046f3282b6fa58cfcef05bd13e52b93
Fixed
390d82733a953c1fabf3de9c9618091a7a9c90a6
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5ccb04c6e1fb7b97fa2e1785b67c3a1cb3527ef7
Fixed
6f55fac0af3531cf60d11369454c41f5fc81ab3f
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
059c2c09f4b7f97711d0d8eaa0b9877f5e7d0a75
Fixed
36c644c63bfcaee2d3a426f45e89a9cd09799318
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e1dee2c1de2b4dd00eb44004a4bda6326ed07b59
Fixed
65d347cb39e2e6bd0c2a745ad7c928998ebb0162
Fixed
537f619dea4e3fa8ed1f8f938abffe3615794bcc
Fixed
99df16007f4bbf9abfc3478cb17d10f0d7f8906e
Fixed
7aa1e7d15f8a5b65f67bacb100d8fc033b21efa2
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
98ae477ed1540d3acbbf44d88ee237ad64275158
Last affected
f0c389e23e2475e5837716a629c81b7a9d90cc94
Last affected
0b9da4bde0d59c61b3675bdd80a05a726beb875a

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49474.json"