CVE-2023-28464: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-28464 is a double-free vulnerability discovered in the Linux kernel through version 6.2.9, specifically in the hciconncleanup function within net/bluetooth/hciconn.c. The vulnerability was identified in the Bluetooth subsystem where a use-after-free condition occurs in hciconnhashflush due to improper handling of calls to hcidevput and hciconnput functions (NVD, Ubuntu).

The vulnerability stems from a double-free condition in the hciconncleanup function. After releasing an object using hciconndelsysfs, the same object is released again through hcidevput and hciconnput functions. The issue occurs because the object is already freed in the hciconndelsysfs function. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (High) with the vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Kernel Patch, NVD).

Successful exploitation of this vulnerability could lead to privilege escalation, disclosure of sensitive information, addition or modification of data, or a Denial of Service (DoS) condition. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of the affected system (NetApp Advisory).

A patch has been developed that removes the redundant hcidevput and hciconnput function calls in the hciconncleanup function. The fix was submitted to the Linux kernel maintainers and has been incorporated into subsequent kernel versions. Users are advised to update their Linux kernel to a patched version (Kernel Patch).

The vulnerability was responsibly disclosed through proper channels, including the Linux kernel maintainers and the oss-security mailing list. The issue was initially reported to linux-distros and security teams on March 8, 2023, followed by a public patch submission on March 9, 2023 (OSS Security Discussion).