CVE-2023-28464: Use After Free

Published Mar 13, 2023
·
Updated

A double free vulnerability was found in the hciconncleanup function of net/bluetooth/hciconn.c, which may cause DOS or privilege escalation.

Version: Linux kernel 6.2 (this problem also exists in 6.3-rc1)

At the end of the hciconndelsysfs(conn) function in the hciconncleanup function, hcidevput(hdev) will be called. The hcidevput function will eventually call kfree to release the space used by name:

hcidevput putdevice kobjectput krefput kobjectrelease kobjectcleanup kfreeconst kfree

After the hciconndelsysfs function ends, the hcidevput function is called again in the hciconncleanup function, and their parameters hdev are the same, so double free will be caused when the name is released.

In addition, at the end of hciconncleanup, the hciconnput function is called again, which will call the putdevice function to release conn->dev. Obviously conn->dev has been released, so there will also be a double free problem here.

Call Trace from syzbot, https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419:

Other sources

hciconncleanup in net/bluetooth/hciconn.c in the Linux kernel through 6.2.9 has a use-after-free (observed in hciconnhashflush) because of calls to hcidevput and hciconnput. There is a double free that may lead to privilege escalation.

MITRE

Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a double free flaw in the hciconncleanup function in the Bluetooth subsystem. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges or cause a denial of service condition.

IBM

Affected Software

23 affected components
Linux Linux kernel=6.1.25
Linux Linux kernel=6.2.12
Linux Linux kernel=6.3
Linux Linux kernel=6.3-rc1
Linux Linux kernel=6.3-rc2
Linux Linux kernel=6.3-rc3
Linux Linux kernel=6.3-rc4
Linux Linux kernel=6.3-rc5
Linux Linux kernel=6.3-rc6
NetApp H300s Firmware
NetApp H410c Firmware
NetApp H410s Firmware
NetApp H500s Firmware
NetApp H700s Firmware
NetApp Baseboard Management Controller H300s Firmware
NetApp Baseboard Management Controller H410c Firmware
NetApp Baseboard Management Controller H410s Firmware
NetApp Baseboard Management Controller H500s Firmware
NetApp Baseboard Management Controller H700s Firmware
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2

Remediation

Patch Available

https://lore.kernel.org/lkml/20230309074645.74309-1-wzhmmmmm@gmail.com/

Patch Available

https://www.openwall.com/lists/oss-security/2023/03/28/2

Patch Available

https://lore.kernel.org/lkml/20230309074645.74309-1-wzhmmmmm%40gmail.com/

Event History

Mar 13, 2023
Data Sourced
via Red Hat·02:54 PM
DescriptionSeverityAffected Software
Mar 31, 2023
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Apr 9, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID for this issue?

The vulnerability ID for this issue is CVE-2023-28464.

2

What is the severity level of CVE-2023-28464?

CVE-2023-28464 has a severity level of 7.8, which is considered high.

3

Which software versions are affected by CVE-2023-28464?

The Linux kernel versions 6.1.25, 6.2.12, 6.3, and all release candidates (6.3-rc1 to 6.3-rc6) are affected by CVE-2023-28464. Additionally, Netapp Baseboard Management Controller firmware versions H300s, H410c, H410s, H500s, and H700s are also affected.

4

What is the description of CVE-2023-28464?

CVE-2023-28464 is a use-after-free vulnerability in the Linux kernel's hci_conn_cleanup function that can lead to privilege escalation due to a double free issue.

5

How can I fix CVE-2023-28464?

To fix CVE-2023-28464, it is recommended to apply the relevant patch or update provided by the Linux kernel or Netapp, depending on the affected software version.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203