CVE-2024-43884: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-43884 is a vulnerability in the Linux kernel's Bluetooth MGMT subsystem, discovered and disclosed in August 2024. The vulnerability affects Linux kernel versions from 4.3 up to and including 6.10.6, as well as several release candidates of version 6.11. The issue resides in the pair_device() function where hci_conn_params_add() fails to check for NULL values (NVD).

The vulnerability is a NULL pointer dereference issue in the Linux kernel's Bluetooth MGMT subsystem. Specifically, the hci_conn_params_add() function in the pair_device() implementation never checks for NULL values, which could lead to a system crash. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access is required and the primary impact is on system availability (NVD).

When exploited, this vulnerability can cause a NULL pointer dereference, resulting in a system crash. The impact is limited to availability, with no direct effects on confidentiality or integrity of the system (NVD).

The vulnerability has been fixed by adding proper error handling in the pair_device() function. The fix has been implemented across multiple Linux kernel versions, including backports to stable branches. Ubuntu has released fixes for various kernel versions across their supported distributions, including 24.04 LTS, 22.04 LTS, 20.04 LTS, and 18.04 LTS (Ubuntu). Debian has also addressed this issue in their bullseye and bookworm releases (Debian).