{"id":"CVE-2024-36013","summary":"Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()\n\nExtend a critical section to prevent chan from early freeing.\nAlso make the l2cap_connect() return type void. Nothing is using the\nreturned value but it is ugly to return a potentially freed pointer.\nMaking it void will help with backports because earlier kernels did use\nthe return value. Now the compile will break for kernels where this\npatch is not a complete fix.\n\nCall stack summary:\n\n[use]\nl2cap_bredr_sig_cmd\n  l2cap_connect\n  ┌ mutex_lock(&conn-\u003echan_lock);\n  │ chan = pchan-\u003eops-\u003enew_connection(pchan); \u003c- alloc chan\n  │ __l2cap_chan_add(conn, chan);\n  │   l2cap_chan_hold(chan);\n  │   list_add(&chan-\u003elist, &conn-\u003echan_l);   ... (1)\n  └ mutex_unlock(&conn-\u003echan_lock);\n    chan-\u003econf_state              ... (4) \u003c- use after free\n\n[free]\nl2cap_conn_del\n┌ mutex_lock(&conn-\u003echan_lock);\n│ foreach chan in conn-\u003echan_l:            ... (2)\n│   l2cap_chan_put(chan);\n│     l2cap_chan_destroy\n│       kfree(chan)               ... (3) \u003c- chan freed\n└ mutex_unlock(&conn-\u003echan_lock);\n\n==================================================================\nBUG: KASAN: slab-use-after-free in instrument_atomic_read\ninclude/linux/instrumented.h:68 [inline]\nBUG: KASAN: slab-use-after-free in _test_bit\ninclude/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\nBUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0\nnet/bluetooth/l2cap_core.c:4260\nRead of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311","modified":"2026-04-02T11:59:57.005826Z","published":"2024-05-23T07:03:07.571Z","related":["SUSE-SU-2024:2135-1","SUSE-SU-2024:2203-1","SUSE-SU-2024:2973-1","SUSE-SU-2024:3189-1","SUSE-SU-2024:3190-1","SUSE-SU-2024:3209-1","SUSE-SU-2024:3251-1","SUSE-SU-2024:3252-1","SUSE-SU-2024:3483-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36013.json"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/05/30/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/05/30/2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4d7b41c0e43995b0e992b9f8903109275744b658"},{"type":"WEB","url":"https://git.kernel.org/stable/c/826af9d2f69567c646ff46d10393d47e30ad23c6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36013.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36013"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"73ffa904b78287f6acf8797e040150aa26a4af4a"},{"fixed":"cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5"},{"fixed":"826af9d2f69567c646ff46d10393d47e30ad23c6"},{"fixed":"4d7b41c0e43995b0e992b9f8903109275744b658"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36013.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}