CVE-2024-56591: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's Bluetooth subsystem has been identified and assigned CVE-2024-56591. The issue relates to the handling of delayed work synchronization in the Bluetooth HCI connection management. The vulnerability was discovered and resolved in December 2024, affecting the Linux kernel's Bluetooth stack, specifically the hci_conn component (Kernel Git).

The vulnerability stems from the improper use of canceldelayedworksync instead of disabledelayedworksync in the Bluetooth HCI connection management code. The issue occurs when handling work queue operations during connection cleanup. The fix implements disabledelayedwork_sync which not only cancels ongoing work but also prevents new submissions, which is crucial since the object holding the work is about to be freed (Red Hat XML). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Moderate) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

The vulnerability could potentially lead to memory corruption or system instability when Bluetooth connections are being terminated. The issue affects systems where the object holding the work queue is about to be freed, but new work submissions aren't properly prevented (NVD).

The vulnerability has been patched in the Linux kernel by replacing canceldelayedworksync with disabledelayedworksync in the affected code paths. System administrators should apply the latest kernel updates that include this fix (Kernel Git).