CVE-2022-49908: 
Linux Kernel vulnerability analysis and mitigation

A memory leak vulnerability (CVE-2022-49908) was discovered in the Linux kernel's Bluetooth L2CAP subsystem, specifically in the vhci_write function. The issue was identified through Syzkaller reports and affects Linux kernel versions from 5.12 up to 6.1 RC3 (NVD).

The vulnerability occurs when the start fragment does not contain the L2CAP length during frame processing. In this scenario, HCI core copies the skb into conn->rxskb and finishes frame process in l2caprecv_acldata() without freeing the skb, which triggers the memory leak. The issue was confirmed through Syzkaller reports showing an unreferenced object of size 240 bytes. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 MEDIUM (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (NVD).

The vulnerability results in memory leaks in the Linux kernel's Bluetooth subsystem, which could potentially lead to resource exhaustion over time. This could affect system stability and performance in systems utilizing the affected Bluetooth functionality (Wiz).

The issue has been resolved in the Linux kernel through a patch that ensures the release of the relative skb after processing in l2caprecvacldata(). Users should update to a patched version of the kernel that includes this fix (NVD).