Impact
This flaw is a classic use‑after‑free in the Linux kernel’s Bluetooth ISO implementation. During a socket rebind, the code caches a connection pointer, releases the socket lock, then accesses the hardware device field. If another thread closes the socket in the brief unlocked window, the connection object can be freed, causing the kernel to dereference freed memory and crash. The vulnerability is a CWE‑416 scenario involving a race condition and memory corruption.
Affected Systems
All Linux kernel builds that contain the Bluetooth ISO subsystem before the patch commits referenced in the advisory. No precise release numbers are listed, so any kernel version that predates the commits may be vulnerable. The vulnerability affects the kernel itself, not user space applications.
Risk and Exploitability
The CVSS score of 7.8 indicates a high severity issue. Inference from the description suggests the attack requires local or privileged access to orchestrate concurrent socket operations, though this is not explicitly stated in the advisory. The EPSS score of less than 1% implies a very low likelihood of real‑world exploitation, and the flaw is not in the CISA KEV catalog. An attacker who succeeds would cause a kernel crash, which can serve as a denial‑of‑service or, if executed with elevated rights, a privilege‑escalation vector.
OpenCVE Enrichment