{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-49474", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T02:08:31.579Z", "datePublished": "2025-02-26T02:13:16.679Z", "dateUpdated": "2026-05-11T19:00:35.320Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:00:35.320Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout\n\nConnecting the same socket twice consecutively in sco_sock_connect()\ncould lead to a race condition where two sco_conn objects are created\nbut only one is associated with the socket. If the socket is closed\nbefore the SCO connection is established, the timer associated with the\ndangling sco_conn object won't be canceled. As the sock object is being\nfreed, the use-after-free problem happens when the timer callback\nfunction sco_sock_timeout() accesses the socket. Here's the call trace:\n\ndump_stack+0x107/0x163\n? refcount_inc+0x1c/\nprint_address_description.constprop.0+0x1c/0x47e\n? refcount_inc+0x1c/0x7b\nkasan_report+0x13a/0x173\n? refcount_inc+0x1c/0x7b\ncheck_memory_region+0x132/0x139\nrefcount_inc+0x1c/0x7b\nsco_sock_timeout+0xb2/0x1ba\nprocess_one_work+0x739/0xbd1\n? cancel_delayed_work+0x13f/0x13f\n? __raw_spin_lock_init+0xf0/0xf0\n? to_kthread+0x59/0x85\nworker_thread+0x593/0x70e\nkthread+0x346/0x35a\n? drain_workqueue+0x31a/0x31a\n? kthread_bind+0x4b/0x4b\nret_from_fork+0x1f/0x30"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/sco.c"], "versions": [{"version": "22c66af08230a7030bdb88accffaec3424695631", "lessThan": "9de3dc09e56f8deacd2bdbf4cecb71e11a312405", "status": "affected", "versionType": "git"}, {"version": "0115a66ebb44bd9127ccb58cf43ed23c795eb1f0", "lessThan": "7d61dbd7311ab978d8ddac1749a758de4de00374", "status": "affected", "versionType": "git"}, {"version": "bc4b08383046f3282b6fa58cfcef05bd13e52b93", "lessThan": "390d82733a953c1fabf3de9c9618091a7a9c90a6", "status": "affected", "versionType": "git"}, {"version": "5ccb04c6e1fb7b97fa2e1785b67c3a1cb3527ef7", "lessThan": "6f55fac0af3531cf60d11369454c41f5fc81ab3f", "status": "affected", "versionType": "git"}, {"version": "059c2c09f4b7f97711d0d8eaa0b9877f5e7d0a75", "lessThan": "36c644c63bfcaee2d3a426f45e89a9cd09799318", "status": "affected", "versionType": "git"}, {"version": "e1dee2c1de2b4dd00eb44004a4bda6326ed07b59", "lessThan": "65d347cb39e2e6bd0c2a745ad7c928998ebb0162", "status": "affected", "versionType": "git"}, {"version": "e1dee2c1de2b4dd00eb44004a4bda6326ed07b59", "lessThan": "537f619dea4e3fa8ed1f8f938abffe3615794bcc", "status": "affected", "versionType": "git"}, {"version": "e1dee2c1de2b4dd00eb44004a4bda6326ed07b59", "lessThan": "99df16007f4bbf9abfc3478cb17d10f0d7f8906e", "status": "affected", "versionType": "git"}, {"version": "e1dee2c1de2b4dd00eb44004a4bda6326ed07b59", "lessThan": "7aa1e7d15f8a5b65f67bacb100d8fc033b21efa2", "status": "affected", "versionType": "git"}, {"version": "98ae477ed1540d3acbbf44d88ee237ad64275158", "status": "affected", "versionType": "git"}, {"version": "f0c389e23e2475e5837716a629c81b7a9d90cc94", "status": "affected", "versionType": "git"}, {"version": "0b9da4bde0d59c61b3675bdd80a05a726beb875a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/sco.c"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "4.9.318", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.283", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.247", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.198", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.121", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.46", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17.14", "lessThanOrEqual": "5.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.18.3", "lessThanOrEqual": "5.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.283", "versionEndExcluding": "4.9.318"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.247", "versionEndExcluding": "4.14.283"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.207", "versionEndExcluding": "4.19.247"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.146", "versionEndExcluding": "5.4.198"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.65", "versionEndExcluding": "5.10.121"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.46"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.17.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.18.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.284"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14.4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9de3dc09e56f8deacd2bdbf4cecb71e11a312405"}, {"url": "https://git.kernel.org/stable/c/7d61dbd7311ab978d8ddac1749a758de4de00374"}, {"url": "https://git.kernel.org/stable/c/390d82733a953c1fabf3de9c9618091a7a9c90a6"}, {"url": "https://git.kernel.org/stable/c/6f55fac0af3531cf60d11369454c41f5fc81ab3f"}, {"url": "https://git.kernel.org/stable/c/36c644c63bfcaee2d3a426f45e89a9cd09799318"}, {"url": "https://git.kernel.org/stable/c/65d347cb39e2e6bd0c2a745ad7c928998ebb0162"}, {"url": "https://git.kernel.org/stable/c/537f619dea4e3fa8ed1f8f938abffe3615794bcc"}, {"url": "https://git.kernel.org/stable/c/99df16007f4bbf9abfc3478cb17d10f0d7f8906e"}, {"url": "https://git.kernel.org/stable/c/7aa1e7d15f8a5b65f67bacb100d8fc033b21efa2"}], "title": "Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-49474", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-27T18:15:54.463749Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-27T18:22:32.377Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-49474", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-27T18:15:54.463749Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-27T18:15:56.136Z"}}], "cna": {"title": "Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "22c66af08230a7030bdb88accffaec3424695631", "lessThan": "9de3dc09e56f8deacd2bdbf4cecb71e11a312405", "versionType": "git"}, {"status": "affected", "version": "0115a66ebb44bd9127ccb58cf43ed23c795eb1f0", "lessThan": "7d61dbd7311ab978d8ddac1749a758de4de00374", "versionType": "git"}, {"status": "affected", "version": "bc4b08383046f3282b6fa58cfcef05bd13e52b93", "lessThan": "390d82733a953c1fabf3de9c9618091a7a9c90a6", "versionType": "git"}, {"status": "affected", "version": "5ccb04c6e1fb7b97fa2e1785b67c3a1cb3527ef7", "lessThan": "6f55fac0af3531cf60d11369454c41f5fc81ab3f", "versionType": "git"}, {"status": "affected", "version": "059c2c09f4b7f97711d0d8eaa0b9877f5e7d0a75", "lessThan": "36c644c63bfcaee2d3a426f45e89a9cd09799318", "versionType": "git"}, {"status": "affected", "version": "e1dee2c1de2b4dd00eb44004a4bda6326ed07b59", "lessThan": "65d347cb39e2e6bd0c2a745ad7c928998ebb0162", "versionType": "git"}, {"status": "affected", "version": "e1dee2c1de2b4dd00eb44004a4bda6326ed07b59", "lessThan": "537f619dea4e3fa8ed1f8f938abffe3615794bcc", "versionType": "git"}, {"status": "affected", "version": "e1dee2c1de2b4dd00eb44004a4bda6326ed07b59", "lessThan": "99df16007f4bbf9abfc3478cb17d10f0d7f8906e", "versionType": "git"}, {"status": "affected", "version": "e1dee2c1de2b4dd00eb44004a4bda6326ed07b59", "lessThan": "7aa1e7d15f8a5b65f67bacb100d8fc033b21efa2", "versionType": "git"}, {"status": "affected", "version": "98ae477ed1540d3acbbf44d88ee237ad64275158", "versionType": "git"}, {"status": "affected", "version": "f0c389e23e2475e5837716a629c81b7a9d90cc94", "versionType": "git"}, {"status": "affected", "version": "0b9da4bde0d59c61b3675bdd80a05a726beb875a", "versionType": "git"}], "programFiles": ["net/bluetooth/sco.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.15"}, {"status": "unaffected", "version": "0", "lessThan": "5.15", "versionType": "semver"}, {"status": "unaffected", "version": "4.9.318", "versionType": "semver", "lessThanOrEqual": "4.9.*"}, {"status": "unaffected", "version": "4.14.283", "versionType": "semver", "lessThanOrEqual": "4.14.*"}, {"status": "unaffected", "version": "4.19.247", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.198", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.121", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.46", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.17.14", "versionType": "semver", "lessThanOrEqual": "5.17.*"}, {"status": "unaffected", "version": "5.18.3", "versionType": "semver", "lessThanOrEqual": "5.18.*"}, {"status": "unaffected", "version": "5.19", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/bluetooth/sco.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/9de3dc09e56f8deacd2bdbf4cecb71e11a312405"}, {"url": "https://git.kernel.org/stable/c/7d61dbd7311ab978d8ddac1749a758de4de00374"}, {"url": "https://git.kernel.org/stable/c/390d82733a953c1fabf3de9c9618091a7a9c90a6"}, {"url": "https://git.kernel.org/stable/c/6f55fac0af3531cf60d11369454c41f5fc81ab3f"}, {"url": "https://git.kernel.org/stable/c/36c644c63bfcaee2d3a426f45e89a9cd09799318"}, {"url": "https://git.kernel.org/stable/c/65d347cb39e2e6bd0c2a745ad7c928998ebb0162"}, {"url": "https://git.kernel.org/stable/c/537f619dea4e3fa8ed1f8f938abffe3615794bcc"}, {"url": "https://git.kernel.org/stable/c/99df16007f4bbf9abfc3478cb17d10f0d7f8906e"}, {"url": "https://git.kernel.org/stable/c/7aa1e7d15f8a5b65f67bacb100d8fc033b21efa2"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout\n\nConnecting the same socket twice consecutively in sco_sock_connect()\ncould lead to a race condition where two sco_conn objects are created\nbut only one is associated with the socket. If the socket is closed\nbefore the SCO connection is established, the timer associated with the\ndangling sco_conn object won't be canceled. As the sock object is being\nfreed, the use-after-free problem happens when the timer callback\nfunction sco_sock_timeout() accesses the socket. Here's the call trace:\n\ndump_stack+0x107/0x163\n? refcount_inc+0x1c/\nprint_address_description.constprop.0+0x1c/0x47e\n? refcount_inc+0x1c/0x7b\nkasan_report+0x13a/0x173\n? refcount_inc+0x1c/0x7b\ncheck_memory_region+0x132/0x139\nrefcount_inc+0x1c/0x7b\nsco_sock_timeout+0xb2/0x1ba\nprocess_one_work+0x739/0xbd1\n? cancel_delayed_work+0x13f/0x13f\n? __raw_spin_lock_init+0xf0/0xf0\n? to_kthread+0x59/0x85\nworker_thread+0x593/0x70e\nkthread+0x346/0x35a\n? drain_workqueue+0x31a/0x31a\n? kthread_bind+0x4b/0x4b\nret_from_fork+0x1f/0x30"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.9.318", "versionStartIncluding": "4.9.283"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.14.283", "versionStartIncluding": "4.14.247"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.19.247", "versionStartIncluding": "4.19.207"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.198", "versionStartIncluding": "5.4.146"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.121", "versionStartIncluding": "5.10.65"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.46", "versionStartIncluding": "5.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.17.14", "versionStartIncluding": "5.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.18.3", "versionStartIncluding": "5.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.19", "versionStartIncluding": "5.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "4.4.284"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "5.13.17"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "5.14.4"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:00:35.320Z"}}}, "cveMetadata": {"cveId": "CVE-2022-49474", "state": "PUBLISHED", "dateUpdated": "2026-05-11T19:00:35.320Z", "dateReserved": "2025-02-26T02:08:31.579Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2025-02-26T02:13:16.679Z", "assignerShortName": "Linux"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA737495-79C0-44E9-9460-1B952324539D", "versionEndExcluding": "4.5", "versionStartIncluding": "4.4.284", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "00BEF9C7-A165-4F9C-AB25-957923C10777", "versionEndExcluding": "4.9.318", "versionStartIncluding": "4.9.238", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "04E6F3D8-9994-4BD6-AC78-979F4425C845", "versionEndExcluding": "4.14.283", "versionStartIncluding": "4.14.247", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D758AE59-1429-4455-9E8F-244E41414654", "versionEndExcluding": "4.19.247", "versionStartIncluding": "4.19.207", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "10513E44-520A-4056-98BE-E9AAC07D6139", "versionEndExcluding": "5.4.198", "versionStartIncluding": "5.4.146", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "54DD05A3-4198-4FF8-9B37-4C8B5C038E64", "versionEndExcluding": "5.10.121", "versionStartIncluding": "5.10.65", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0547757C-4CB4-47A0-A6C4-2C6CDEA08791", "versionEndExcluding": "5.14", "versionStartIncluding": "5.13.17", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FCE27D56-8FE9-4B2F-93FE-BCAB349E9E3F", "versionEndExcluding": "5.15.46", "versionStartIncluding": "5.14.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "15E2DD33-2255-4B76-9C15-04FF8CBAB252", "versionEndExcluding": "5.17.14", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E122216-2E9E-4B3E-B7B8-D575A45BA3C2", "versionEndExcluding": "5.18.3", "versionStartIncluding": "5.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout\n\nConnecting the same socket twice consecutively in sco_sock_connect()\ncould lead to a race condition where two sco_conn objects are created\nbut only one is associated with the socket. If the socket is closed\nbefore the SCO connection is established, the timer associated with the\ndangling sco_conn object won't be canceled. As the sock object is being\nfreed, the use-after-free problem happens when the timer callback\nfunction sco_sock_timeout() accesses the socket. Here's the call trace:\n\ndump_stack+0x107/0x163\n? refcount_inc+0x1c/\nprint_address_description.constprop.0+0x1c/0x47e\n? refcount_inc+0x1c/0x7b\nkasan_report+0x13a/0x173\n? refcount_inc+0x1c/0x7b\ncheck_memory_region+0x132/0x139\nrefcount_inc+0x1c/0x7b\nsco_sock_timeout+0xb2/0x1ba\nprocess_one_work+0x739/0xbd1\n? cancel_delayed_work+0x13f/0x13f\n? __raw_spin_lock_init+0xf0/0xf0\n? to_kthread+0x59/0x85\nworker_thread+0x593/0x70e\nkthread+0x346/0x35a\n? drain_workqueue+0x31a/0x31a\n? kthread_bind+0x4b/0x4b\nret_from_fork+0x1f/0x30"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: se corrige el sco_conn colgante y el use-after-free en sco_sock_timeout Conectar el mismo socket dos veces consecutivas en sco_sock_connect() podr\u00eda provocar una condici\u00f3n de ejecuci\u00f3n en la que se crean dos objetos sco_conn pero solo uno est\u00e1 asociado con el socket. Si el socket se cierra antes de que se establezca la conexi\u00f3n SCO, el temporizador asociado con el objeto sco_conn colgante no se cancelar\u00e1. A medida que se libera el objeto sock, el problema de use-after-free ocurre cuando la funci\u00f3n de devoluci\u00f3n de llamada del temporizador sco_sock_timeout() accede al socket. Aqu\u00ed est\u00e1 el seguimiento de la llamada: dump_stack+0x107/0x163 ? refcount_inc+0x1c/ print_address_description.constprop.0+0x1c/0x47e ? refcount_inc+0x1c/0x7b kasan_report+0x13a/0x173 ? refcount_inc+0x1c/0x7b check_memory_region+0x132/0x139 refcount_inc+0x1c/0x7b sco_sock_timeout+0xb2/0x1ba process_one_work+0x739/0xbd1 ? cancel_delayed_work+0x13f/0x13f ? __raw_spin_lock_init+0xf0/0xf0 ? to_kthread+0x59/0x85 worker_thread+0x593/0x70e kthread+0x346/0x35a ? drain_workqueue+0x31a/0x31a ? kthread_bind+0x4b/0x4b ret_from_fork+0x1f/0x30 "}], "id": "CVE-2022-49474", "lastModified": "2025-03-24T19:59:02.253", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-02-26T07:01:23.613", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/36c644c63bfcaee2d3a426f45e89a9cd09799318"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/390d82733a953c1fabf3de9c9618091a7a9c90a6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/537f619dea4e3fa8ed1f8f938abffe3615794bcc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/65d347cb39e2e6bd0c2a745ad7c928998ebb0162"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6f55fac0af3531cf60d11369454c41f5fc81ab3f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7aa1e7d15f8a5b65f67bacb100d8fc033b21efa2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7d61dbd7311ab978d8ddac1749a758de4de00374"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/99df16007f4bbf9abfc3478cb17d10f0d7f8906e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9de3dc09e56f8deacd2bdbf4cecb71e11a312405"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout", "id": "2348082", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348082"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout\nConnecting the same socket twice consecutively in sco_sock_connect()\ncould lead to a race condition where two sco_conn objects are created\nbut only one is associated with the socket. If the socket is closed\nbefore the SCO connection is established, the timer associated with the\ndangling sco_conn object won't be canceled. As the sock object is being\nfreed, the use-after-free problem happens when the timer callback\nfunction sco_sock_timeout() accesses the socket. Here's the call trace:\ndump_stack+0x107/0x163\n? refcount_inc+0x1c/\nprint_address_description.constprop.0+0x1c/0x47e\n? refcount_inc+0x1c/0x7b\nkasan_report+0x13a/0x173\n? refcount_inc+0x1c/0x7b\ncheck_memory_region+0x132/0x139\nrefcount_inc+0x1c/0x7b\nsco_sock_timeout+0xb2/0x1ba\nprocess_one_work+0x739/0xbd1\n? cancel_delayed_work+0x13f/0x13f\n? __raw_spin_lock_init+0xf0/0xf0\n? to_kthread+0x59/0x85\nworker_thread+0x593/0x70e\nkthread+0x346/0x35a\n? drain_workqueue+0x31a/0x31a\n? kthread_bind+0x4b/0x4b\nret_from_fork+0x1f/0x30", "A flaw was discovered in the Linux kernel\u2019s Bluetooth subsystem, SCO sockets. When calling sco_sock_connect() and connecting the same socket twice in quick succession, two sco_conn objects may be created, but only one gets associated with the socket. If the socket is closed before the SCO connection is fully established, the timer linked to the dangling sco_conn is not canceled. This results in a use-after-free issue in sco_sock_timeout(), where the kernel attempts to access the freed socket. A local, unprivileged user may exploit this flaw to trigger kernel memory corruption, resulting in system instability or a denial of service."], "name": "CVE-2022-49474", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49474\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49474\nhttps://lore.kernel.org/linux-cve-announce/2025022603-CVE-2022-49474-ce0b@gregkh/T"], "statement": "Red Hat has assigned this vulnerability a Moderate severity rating with a CVSS score of 5.5. This assessment is based on the following key factors:\n* It is impossible to create sco_conn objects without physical access to both the server and client systems.\n* The dangling timer can cause a resource consumption attack, but there is no risk of any data leaks.\n* There is no loss of integrity, as even in case of successful exploitation, there is no data exchanged between the client and the server.", "threat_severity": "Moderate"}

{}