CVE-2021-3752: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in the Linux kernel's Bluetooth subsystem, specifically in the way user calls connect to the socket and disconnect simultaneously due to a race condition. The vulnerability was assigned CVE-2021-3752 and was discovered by Likang Luo of NSFOCUS Security Team. The issue affects Linux kernel versions prior to 5.15.3 (CVE MITRE, NVD).

The vulnerability occurs in the Bluetooth L2CAP implementation where a race condition exists between connecting to a socket and disconnecting. When l2cap_sock_teardown_cb() is executed, the sock is marked as SOCK_ZAPPED and can be treated as killable in l2cap_sock_kill() if sock_orphan() has executed. If the socket is closed through sock_close(), which calls l2cap_sock_kill(), and if another thread reaches l2cap_sock_teardown_cb() again, a use-after-free condition occurs. The vulnerability has a CVSS v3.1 base score of 7.1 (HIGH) (NETAPP).

This vulnerability allows a local user to crash the system or escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability (CVE MITRE).

The vulnerability has been fixed in Linux kernel version 5.15.3. The fix involves setting chan->data to NULL if the sock is destructed, to prevent teardown operations in l2cap_sock_teardown_cb(), and avoiding killing an already killed socket in l2cap_sock_close_cb(). Various Linux distributions have backported the fix to their supported kernel versions (Debian Security).