CVE-2022-49470
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49470
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49470.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49470
- Downstream
- Related
- Published
- 2025-02-26T02:13:14Z
- Modified
- 2025-10-21T10:22:35.387187Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Bluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btmtksdio: fix use-after-free at btmtksdiorecvevent
We should not access skb buffer data anymore after hcirecvframe was called.
[ 39.634809] BUG: KASAN: use-after-free in btmtksdiorecvevent+0x1b0 [ 39.634855] Read of size 1 at addr ffffff80cf28a60d by task kworker [ 39.634962] Call trace: [ 39.634974] dumpbacktrace+0x0/0x3b8 [ 39.634999] showstack+0x20/0x2c [ 39.635016] dumpstacklvl+0x60/0x78 [ 39.635040] printaddressdescription+0x70/0x2f0 [ 39.635062] kasanreport+0x154/0x194 [ 39.635079] asanreportload1noabort+0x44/0x50 [ 39.635099] btmtksdiorecvevent+0x1b0/0x1c4 [ 39.635129] btmtksdiotxrxwork+0x6cc/0xac4 [ 39.635157] processonework+0x560/0xc5c [ 39.635177] workerthread+0x7ec/0xcc0 [ 39.635195] kthread+0x2d0/0x3d0 [ 39.635215] retfromfork+0x10/0x20 [ 39.635247] Allocated by task 0: [ 39.635260] (stack is not available) [ 39.635281] Freed by task 2392: [ 39.635295] kasansavestack+0x38/0x68 [ 39.635319] kasansettrack+0x28/0x3c [ 39.635338] kasansetfreeinfo+0x28/0x4c [ 39.635357] kasanslabfree+0x104/0x150 [ 39.635374] _kasanslabfree+0x18/0x28 [ 39.635391] slabfreefreelisthook+0x114/0x248 [ 39.635410] kfree+0xf8/0x2b4 [ 39.635427] skbfreehead+0x58/0x98 [ 39.635447] skbreleasedata+0x2f4/0x410 [ 39.635464] skbreleaseall+0x50/0x60 [ 39.635481] kfreeskb+0xc8/0x25c [ 39.635498] hcieventpacket+0x894/0xca4 [bluetooth] [ 39.635721] hcirxwork+0x1c8/0x68c [bluetooth] [ 39.635925] processonework+0x560/0xc5c [ 39.635951] workerthread+0x7ec/0xcc0 [ 39.635970] kthread+0x2d0/0x3d0 [ 39.635990] retfromfork+0x10/0x20 [ 39.636021] The buggy address belongs to the object at ffffff80cf28a600 which belongs to the cache kmalloc-512 of size 512 [ 39.636039] The buggy address is located 13 bytes inside of 512-byte region [ffffff80cf28a600, ffffff80cf28a800)
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/01c6a899fa6be4f4cbf60c4f44f0f6691155415f
- https://git.kernel.org/stable/c/02ba31e09a26e8cd4582ac8e6163d80284997727
- https://git.kernel.org/stable/c/0fab6361c4ba17d1b43a991bef4238a3c1754d35
- https://git.kernel.org/stable/c/b3cec8a42fcd11d05313c724f27e01b1db77522c
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced9aebfd4a2200ab8075e44379c758bccefdc589bbFixedb3cec8a42fcd11d05313c724f27e01b1db77522c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced9aebfd4a2200ab8075e44379c758bccefdc589bbFixed02ba31e09a26e8cd4582ac8e6163d80284997727
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced9aebfd4a2200ab8075e44379c758bccefdc589bbFixed01c6a899fa6be4f4cbf60c4f44f0f6691155415f
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced9aebfd4a2200ab8075e44379c758bccefdc589bbFixed0fab6361c4ba17d1b43a991bef4238a3c1754d35
Affected versions
v5.*
v5.1
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1
v5.17.10
v5.17.11
v5.17.12
v5.17.13
v5.17.2
v5.17.3
v5.17.4
v5.17.5
v5.17.6
v5.17.7
v5.17.8
v5.17.9
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.18.1
v5.18.2
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
Database specific
vanir_signatures
[
{
"id": "CVE-2022-49470-0ddc669f",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "btmtksdio_recv_event",
"file": "drivers/bluetooth/btmtksdio.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0fab6361c4ba17d1b43a991bef4238a3c1754d35",
"digest": {
"length": 684.0,
"function_hash": "289103179188163943442529337388745476173"
},
"signature_type": "Function"
},
{
"id": "CVE-2022-49470-23cac289",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "btmtksdio_recv_event",
"file": "drivers/bluetooth/btmtksdio.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b3cec8a42fcd11d05313c724f27e01b1db77522c",
"digest": {
"length": 742.0,
"function_hash": "169797353764944260509501947045775576616"
},
"signature_type": "Function"
},
{
"id": "CVE-2022-49470-2c4a4949",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/bluetooth/btmtksdio.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@01c6a899fa6be4f4cbf60c4f44f0f6691155415f",
"digest": {
"line_hashes": [
"44234478655283927597335169252490668067",
"94840506710963706696595519428828259171",
"86051415873190036064000779757001217366",
"322872335108905817012089893860476566314",
"116341634488250738403441045425445432257",
"216326048348159106391987383908683672346",
"123156515564406706034759442564852260742",
"107646133536543974284308024200231816105"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"id": "CVE-2022-49470-363139ac",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/bluetooth/btmtksdio.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0fab6361c4ba17d1b43a991bef4238a3c1754d35",
"digest": {
"line_hashes": [
"44234478655283927597335169252490668067",
"94840506710963706696595519428828259171",
"86051415873190036064000779757001217366",
"322872335108905817012089893860476566314",
"116341634488250738403441045425445432257",
"216326048348159106391987383908683672346",
"123156515564406706034759442564852260742",
"107646133536543974284308024200231816105"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"id": "CVE-2022-49470-7a9f380c",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/bluetooth/btmtksdio.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@02ba31e09a26e8cd4582ac8e6163d80284997727",
"digest": {
"line_hashes": [
"44234478655283927597335169252490668067",
"94840506710963706696595519428828259171",
"86051415873190036064000779757001217366",
"322872335108905817012089893860476566314",
"116341634488250738403441045425445432257",
"216326048348159106391987383908683672346",
"123156515564406706034759442564852260742",
"107646133536543974284308024200231816105"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"id": "CVE-2022-49470-a07457d1",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/bluetooth/btmtksdio.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b3cec8a42fcd11d05313c724f27e01b1db77522c",
"digest": {
"line_hashes": [
"44234478655283927597335169252490668067",
"94840506710963706696595519428828259171",
"292539713643012328325129557046704990746",
"109599531760838148190309323171980499230",
"338610515088388284831281727134394376324",
"26969294161482000254662628638090051973",
"246702407051715669010453012020441762055",
"293781370260185677367661659529775714045"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"id": "CVE-2022-49470-c68a49ee",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "btmtksdio_recv_event",
"file": "drivers/bluetooth/btmtksdio.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@02ba31e09a26e8cd4582ac8e6163d80284997727",
"digest": {
"length": 684.0,
"function_hash": "289103179188163943442529337388745476173"
},
"signature_type": "Function"
},
{
"id": "CVE-2022-49470-e205a160",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "btmtksdio_recv_event",
"file": "drivers/bluetooth/btmtksdio.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@01c6a899fa6be4f4cbf60c4f44f0f6691155415f",
"digest": {
"length": 684.0,
"function_hash": "289103179188163943442529337388745476173"
},
"signature_type": "Function"
}
]