CVE-2024-42133: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-42133 is a vulnerability in the Linux kernel's Bluetooth subsystem, discovered in July 2024. The issue occurs in the handling of BIG (Broadcast Isochronous Groups) handle values within the hcilebigsyncestablishedevt function, where too large handle values could lead to erroneous release of ida (ID allocator) in hciconn_cleanup (CVE).

The vulnerability exists in the Linux kernel's Bluetooth stack where the hcilebigsyncestablishedevt function fails to properly validate handle values. When handle values exceed HCICONNHANDLEMAX, it could result in incorrect ida release during connection cleanup. The issue has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to availability issues in the Linux kernel's Bluetooth subsystem. When exploited, it could cause erroneous release of system resources, potentially affecting the stability of Bluetooth connections (NVD).

The vulnerability has been fixed in multiple Linux kernel versions. The fix involves adding validation checks for handle values in the hcilebigsyncestablished_evt function. Updates are available in kernel version 6.8.0-48.48 and related distributions. Ubuntu has released fixes for various kernel packages including linux-aws, linux-azure, and linux-gcp (Ubuntu).