CVE-2024-54191: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-54191 is a circular locking dependency vulnerability discovered in the Linux kernel's Bluetooth ISO (Isochronous) subsystem. The issue was identified in Linux kernel versions from 6.11.11 up to 6.12.6, and was publicly disclosed on January 11, 2025. The vulnerability specifically affects the Bluetooth implementation in the kernel, particularly the isoconnbig_sync functionality (NVD).

The vulnerability stems from a circular locking dependency in the isoconnbigsync function within the Linux kernel's Bluetooth subsystem. The issue occurs when the socket lock (sklock-AF_BLUETOOTH) is held while attempting to acquire the Bluetooth device lock (hdev->lock), creating a potential deadlock scenario. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium), with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a deadlock condition in the Linux kernel's Bluetooth stack, potentially causing system hangs or reduced availability of Bluetooth services. The issue specifically impacts the Bluetooth ISO functionality, which is used for isochronous data transfer (Kernel Patch).

The vulnerability has been fixed in the Linux kernel through a patch that reworks the isosockrecvmsg function to ensure proper lock handling. The fix involves releasing the socket lock before calling functions that lock the Bluetooth device. The patch is available in Linux kernel version 6.12.6 and later (Kernel Patch).