{"id":"CVE-2022-49470","summary":"Bluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event\n\nWe should not access skb buffer data anymore after hci_recv_frame was\ncalled.\n\n[ 39.634809] BUG: KASAN: use-after-free in btmtksdio_recv_event+0x1b0\n[ 39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker\n[ 39.634962] Call trace:\n[ 39.634974] dump_backtrace+0x0/0x3b8\n[ 39.634999] show_stack+0x20/0x2c\n[ 39.635016] dump_stack_lvl+0x60/0x78\n[ 39.635040] print_address_description+0x70/0x2f0\n[ 39.635062] kasan_report+0x154/0x194\n[ 39.635079] __asan_report_load1_noabort+0x44/0x50\n[ 39.635099] btmtksdio_recv_event+0x1b0/0x1c4\n[ 39.635129] btmtksdio_txrx_work+0x6cc/0xac4\n[ 39.635157] process_one_work+0x560/0xc5c\n[ 39.635177] worker_thread+0x7ec/0xcc0\n[ 39.635195] kthread+0x2d0/0x3d0\n[ 39.635215] ret_from_fork+0x10/0x20\n[ 39.635247] Allocated by task 0:\n[ 39.635260] (stack is not available)\n[ 39.635281] Freed by task 2392:\n[ 39.635295] kasan_save_stack+0x38/0x68\n[ 39.635319] kasan_set_track+0x28/0x3c\n[ 39.635338] kasan_set_free_info+0x28/0x4c\n[ 39.635357] ____kasan_slab_free+0x104/0x150\n[ 39.635374] __kasan_slab_free+0x18/0x28\n[ 39.635391] slab_free_freelist_hook+0x114/0x248\n[ 39.635410] kfree+0xf8/0x2b4\n[ 39.635427] skb_free_head+0x58/0x98\n[ 39.635447] skb_release_data+0x2f4/0x410\n[ 39.635464] skb_release_all+0x50/0x60\n[ 39.635481] kfree_skb+0xc8/0x25c\n[ 39.635498] hci_event_packet+0x894/0xca4 [bluetooth]\n[ 39.635721] hci_rx_work+0x1c8/0x68c [bluetooth]\n[ 39.635925] process_one_work+0x560/0xc5c\n[ 39.635951] worker_thread+0x7ec/0xcc0\n[ 39.635970] kthread+0x2d0/0x3d0\n[ 39.635990] ret_from_fork+0x10/0x20\n[ 39.636021] The buggy address belongs to the object at ffffff80cf28a600\n which belongs to the cache kmalloc-512 of size 512\n[ 39.636039] The buggy address is located 13 bytes inside of\n 512-byte region [ffffff80cf28a600, ffffff80cf28a800)","modified":"2026-04-11T12:44:06.748703Z","published":"2025-02-26T02:13:14.024Z","related":["SUSE-SU-2025:1176-1","SUSE-SU-2025:1241-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49470.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/01c6a899fa6be4f4cbf60c4f44f0f6691155415f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/02ba31e09a26e8cd4582ac8e6163d80284997727"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0fab6361c4ba17d1b43a991bef4238a3c1754d35"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b3cec8a42fcd11d05313c724f27e01b1db77522c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49470.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49470"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9aebfd4a2200ab8075e44379c758bccefdc589bb"},{"fixed":"b3cec8a42fcd11d05313c724f27e01b1db77522c"},{"fixed":"02ba31e09a26e8cd4582ac8e6163d80284997727"},{"fixed":"01c6a899fa6be4f4cbf60c4f44f0f6691155415f"},{"fixed":"0fab6361c4ba17d1b43a991bef4238a3c1754d35"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49470.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.2.0"},{"fixed":"5.15.54"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"5.17.14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.18.0"},{"fixed":"5.18.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49470.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}