CVE-2024-26903: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-26903 is a vulnerability discovered in the Linux kernel's Bluetooth RFCOMM protocol driver. The issue was identified during fuzz testing of the connection and disconnection process at the RFCOMM layer and was disclosed on April 17, 2024. The vulnerability affects multiple versions of the Linux kernel up to versions 4.19.311, 5.4.273, 5.10.214, 5.15.153, and 6.1.83 (NVD).

The vulnerability is a NULL pointer dereference in the rfcommchecksecurity function. The issue occurs when the timing of the controller's response to a Read Encryption Key Size packet is delayed until after the RFCOMM and L2CAP layers have disconnected but before the HCI layer disconnects. This causes the function to attempt accessing conn->hcon after the structure has been released, resulting in a null-ptr-deref error. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can be exploited to cause a denial of service (system crash) through a NULL pointer dereference. The impact is limited to availability, with no direct impact on confidentiality or integrity (NVD).

The vulnerability has been fixed by adding a check for sk->skstate being BTCLOSED before calling rfcommrecvframe in rfcommprocessrx. The fix has been implemented in various Linux kernel versions and distributions. Ubuntu has released patches for affected versions including 22.04 LTS (5.15.0-112.122), 20.04 LTS (5.4.0-189.209), and 18.04 LTS (4.15.0-228.240) (Ubuntu).