CVE-2022-45934: 
Linux Kernel vulnerability analysis and mitigation

An integer overflow vulnerability (CVE-2022-45934) was discovered in the Linux kernel through version 6.0.10. The vulnerability specifically affects the l2capconfigreq function in net/bluetooth/l2capcore.c, which is susceptible to an integer wraparound vulnerability when processing L2CAPCONF_REQ packets. This vulnerability was discovered and disclosed in November 2022 (NVD, CVE).

The vulnerability exists in the Bluetooth subsystem of the Linux kernel, specifically in the L2CAP (Logical Link Control and Adaptation Protocol) implementation. The issue occurs when the chan->numconfrsp counter increases multiple times due to repeated L2CAPCONFREQ packets, eventually causing an integer wraparound at the maximum value of 255. This was addressed by adding a boundary check with L2CAPMAXCONF_RSP (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

When successfully exploited, this vulnerability could allow a physically proximate attacker to cause a denial of service (system crash) through specially crafted L2CAPCONFREQ packets (NetApp Advisory, Debian Advisory).

Multiple Linux distributions have released patches to address this vulnerability. Debian has fixed the issue in version 5.10.162-1 for the stable distribution (bullseye). Fedora 37 has addressed it in kernel version 6.0.15-300.fc37. Ubuntu has also released fixes across multiple kernel versions for different releases (Debian Advisory, Fedora Update).