CVE-2021-3455: 
NixOS vulnerability analysis and mitigation

CVE-2021-3455 is a Use After Free (CWE-416) vulnerability affecting Zephyr versions >= 2.4.0 and >= 2.5.0. The vulnerability was discovered when disconnecting an L2CAP channel immediately after an invalid ATT request, which leads to system freeze. The issue was patched in version 2.6.0 (Zephyr Advisory).

The vulnerability occurs when a Central device connects to a peripheral and creates an L2CAP connection for Enhanced ATT. When sending an invalid ATT request and immediately disconnecting, the system crashes because the L2CAP channel is already in a disconnected state when the Zephyr stack calls l2cap_chan_sdu_sent() and bt_att_sent(). The crash happens in bt_att_sent() because it attempts to access memory that has already been freed. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NIST NVD with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while Zephyr Project assessed it as 4.3 (MEDIUM) with vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD, Zephyr Advisory).

The vulnerability affects system availability, potentially causing the system to freeze. When exploited, the system attempts to access freed memory blocks, as both ATT channel and ATT contexts were previously freed through bt_att_disconnected() and bt_att_released() calls (Zephyr Advisory).

The vulnerability has been patched in Zephyr version 2.6.0. Fixes were also backported to various versions through pull requests: main (#35597), v2.4 (#36105), and v2.5 (#36104) (Zephyr Advisory).