{"id":"CVE-2022-49474","summary":"Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout\n\nConnecting the same socket twice consecutively in sco_sock_connect()\ncould lead to a race condition where two sco_conn objects are created\nbut only one is associated with the socket. If the socket is closed\nbefore the SCO connection is established, the timer associated with the\ndangling sco_conn object won't be canceled. As the sock object is being\nfreed, the use-after-free problem happens when the timer callback\nfunction sco_sock_timeout() accesses the socket. Here's the call trace:\n\ndump_stack+0x107/0x163\n? refcount_inc+0x1c/\nprint_address_description.constprop.0+0x1c/0x47e\n? refcount_inc+0x1c/0x7b\nkasan_report+0x13a/0x173\n? refcount_inc+0x1c/0x7b\ncheck_memory_region+0x132/0x139\nrefcount_inc+0x1c/0x7b\nsco_sock_timeout+0xb2/0x1ba\nprocess_one_work+0x739/0xbd1\n? cancel_delayed_work+0x13f/0x13f\n? __raw_spin_lock_init+0xf0/0xf0\n? to_kthread+0x59/0x85\nworker_thread+0x593/0x70e\nkthread+0x346/0x35a\n? drain_workqueue+0x31a/0x31a\n? kthread_bind+0x4b/0x4b\nret_from_fork+0x1f/0x30","modified":"2026-04-11T12:44:06.106943Z","published":"2025-02-26T02:13:16.679Z","related":["SUSE-SU-2025:01983-1","SUSE-SU-2025:1027-1","SUSE-SU-2025:1176-1","SUSE-SU-2025:1183-1","SUSE-SU-2025:1194-1","SUSE-SU-2025:1241-1","SUSE-SU-2025:1263-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49474.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/36c644c63bfcaee2d3a426f45e89a9cd09799318"},{"type":"WEB","url":"https://git.kernel.org/stable/c/390d82733a953c1fabf3de9c9618091a7a9c90a6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/537f619dea4e3fa8ed1f8f938abffe3615794bcc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/65d347cb39e2e6bd0c2a745ad7c928998ebb0162"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6f55fac0af3531cf60d11369454c41f5fc81ab3f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7aa1e7d15f8a5b65f67bacb100d8fc033b21efa2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7d61dbd7311ab978d8ddac1749a758de4de00374"},{"type":"WEB","url":"https://git.kernel.org/stable/c/99df16007f4bbf9abfc3478cb17d10f0d7f8906e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9de3dc09e56f8deacd2bdbf4cecb71e11a312405"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49474.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49474"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"22c66af08230a7030bdb88accffaec3424695631"},{"fixed":"9de3dc09e56f8deacd2bdbf4cecb71e11a312405"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0115a66ebb44bd9127ccb58cf43ed23c795eb1f0"},{"fixed":"7d61dbd7311ab978d8ddac1749a758de4de00374"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bc4b08383046f3282b6fa58cfcef05bd13e52b93"},{"fixed":"390d82733a953c1fabf3de9c9618091a7a9c90a6"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5ccb04c6e1fb7b97fa2e1785b67c3a1cb3527ef7"},{"fixed":"6f55fac0af3531cf60d11369454c41f5fc81ab3f"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"059c2c09f4b7f97711d0d8eaa0b9877f5e7d0a75"},{"fixed":"36c644c63bfcaee2d3a426f45e89a9cd09799318"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e1dee2c1de2b4dd00eb44004a4bda6326ed07b59"},{"fixed":"65d347cb39e2e6bd0c2a745ad7c928998ebb0162"},{"fixed":"537f619dea4e3fa8ed1f8f938abffe3615794bcc"},{"fixed":"99df16007f4bbf9abfc3478cb17d10f0d7f8906e"},{"fixed":"7aa1e7d15f8a5b65f67bacb100d8fc033b21efa2"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"98ae477ed1540d3acbbf44d88ee237ad64275158"},{"last_affected":"f0c389e23e2475e5837716a629c81b7a9d90cc94"},{"last_affected":"0b9da4bde0d59c61b3675bdd80a05a726beb875a"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49474.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.9.318"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.10.0"},{"fixed":"4.14.283"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.15.0"},{"fixed":"4.19.247"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.198"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.121"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.46"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.15.0"},{"fixed":"5.17.14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"5.18.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49474.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}