CVE-2022-3564: 
Linux Kernel vulnerability analysis and mitigation

A critical vulnerability (CVE-2022-3564) was discovered in the Linux Kernel's Bluetooth L2CAP subsystem, specifically affecting the l2capreassemblesdu function in net/bluetooth/l2cap_core.c. The vulnerability was discovered on October 17, 2022, and involves a race condition that leads to a use-after-free condition (NVD, Ubuntu Security).

The vulnerability stems from a race condition between two parallel flows: 1) l2capreassemblesdu -> chan->ops->recv (l2capsockrecvcb) -> _sockqueuercvskb, and 2) btsockrecvmsg -> skbrecvdatagram, skbfreedatagram. An SKB can be queued by the first flow and immediately dequeued and freed by the second flow, leading to a use-after-free condition when callers of l2capreassemblesdu continue accessing struct l2capctrl that resides in the SKB's CB (Kernel Commit). The vulnerability has been assigned a CVSS 3.1 base score of 7.1 (High) (NetApp Security).

When successfully exploited, this vulnerability could lead to denial of service (system crash or memory corruption), information disclosure, or potentially privilege escalation. The vulnerability affects systems with Bluetooth capabilities and could be triggered by a local attacker (Ubuntu Security, Debian LTS).

The vulnerability has been fixed in various Linux kernel versions across different distributions. For example, Red Hat Enterprise Linux 9.0 received the fix in kernel version 5.14.0-70.49.1.rt21.120.el90, Ubuntu 22.04 LTS in version 5.15.0-56.62, and Debian 10 in version 4.19.269-1 (Red Hat CVE, Debian LTS). The fix involves keeping a local copy of struct l2capctrl to avoid the race condition.