Impact
A missing lock around the l2cap_chan_del() call in the l2cap_ecred_reconf_rsp function allows a remote Bluetooth Low Energy device to send a crafted L2CAP ECRED reconfiguration response that corrupts the channel list while other kernel threads are iterating it. The corruption can lead to kernel crashes or service interruption, effectively denying legitimate users from using Bluetooth services without proper recovery. This flaw represents a race condition caused by improper lock handling (CWE-414).
Affected Systems
Linux kernel implementations that have not yet incorporated the patch that adds proper channel locking and reference handling around l2cap_chan_del during ECRED reconfiguration. No specific kernel version range is provided, so any kernel that includes the old implementation is potentially vulnerable.
Risk and Exploitability
The vulnerability requires a nearby or connected BLE device that can transmit a crafted L2CAP ECRED reconfiguration response, a scenario that is feasible in many wireless environments. The CVSS score of 8.8 indicates high severity, but the EPSS score of < 1% suggests a low likelihood of exploitation. If conditions are met, the race condition can lead to kernel crashes or service interruption. The lack of inclusion in the CISA KEV catalog indicates no widely known exploitation, yet the attack vector remains available in environments where BLE devices communicate with Linux systems. The likely attack vector is a Bluetooth Low Energy device in proximity performing the exploit.
OpenCVE Enrichment
Debian DLA