CVE-2024-22099: 
Linux Kernel vulnerability analysis and mitigation

A NULL pointer dereference vulnerability was discovered in the Linux kernel's Bluetooth RFCOMM protocol driver, specifically in the rfcomm_check_security function. The vulnerability affects Linux kernel version v2.6.12-rc2 and is tracked as CVE-2024-22099. The issue is present in the program file /net/bluetooth/rfcomm/core.C and affects Linux systems running on x86 and ARM architectures with Bluetooth modules enabled (OpenAnolis Bug).

The vulnerability occurs due to a race condition in the RFCOMM protocol driver. During the connection and disconnection process at the RFCOMM layer, when the host sends a 'Read Encryption Key Size' HCI command (Opcode: 0x1408) to the controller, a delayed response can trigger a NULL pointer dereference. Specifically, if the controller's response is delayed until after the RFCOMM and L2CAP layers have disconnected but before the HCI layer disconnection, accessing conn->hcon in rfcomm_check_security results in a NULL pointer dereference. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The exploitation of this vulnerability can lead to a denial of service condition through a system crash. The issue specifically affects the Bluetooth functionality of the system and can be triggered during the connection and disconnection process of Bluetooth devices (OpenAnolis Bug).

The vulnerability has been fixed in various Linux distributions through security updates. Debian has addressed this in version 5.10.216-1~deb10u1 for Debian 10 (buster) and version 4.19.316-1. Fedora has included fixes in kernel versions 6.7.9-200.fc39 and 6.7.9-100.fc38. Ubuntu has also released patches for multiple kernel versions across different releases (Debian LTS, Fedora Update).