CVE-2024-58009
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc A NULL sock pointer is passed into l2cap_sock_alloc() when it is called from l2cap_sock_new_connection_cb() and the error handling paths should also be aware of it. Seemingly a more elegant solution would be to swap bt_sock_alloc() and l2cap_chan_create() calls since they are not interdependent to that moment but then l2cap_chan_create() adds the soon to be deallocated and still dummy-initialized channel to the global list accessible by many L2CAP paths. The channel would be removed from the list in short period of time but be a bit more straight-forward here and just check for NULL instead of changing the order of function calls. Found by Linux Verification Center (linuxtesting.org) with SVACE static analysis tool.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2024-58009 NameCVE-2024-58009 DescriptionIn the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc A NULL sock pointer is passed into l2cap_sock_alloc() when it is called from l2cap_sock_new_connection_cb() and the error handling paths should also be aware of it. Seemingly a more elegant solution would be to swapโฆ
CVE-2024-58009
| Name | CVE-2024-58009 |
| Description | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc A NULL sock pointer is passed into l2cap_sock_alloc() when it is called from l2cap_sock_new_connection_cb() and the error handling paths should also be aware of it. Seemingly a more elegant solution would be to swap bt_sock_alloc() and l2cap_chan_create() calls since they are not interdependent to that moment but then l2cap_chan_create() adds the soon to be deallocated and still dummy-initialized channel to the global list accessible by many L2CAP paths. The channel would be removed from the list in short period of time but be a bit more straight-forward here and just check for NULL instead of changing the order of function calls. Found by Linux Verification Center (linuxtesting.org) with SVACE static analysis tool. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-4102-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| linux (PTS) | bullseye | 5.10.223-1 | vulnerable |
| bullseye (security) | 5.10.257-1 | fixed | |
| bookworm | 6.1.170-3 | fixed | |
| bookworm (security) | 6.1.174-1 | fixed | |
| trixie | 6.12.86-1 | fixed | |
| trixie (security) | 6.12.90-2 | fixed | |
| forky, sid | 7.0.10-1 | fixed | |
| linux-6.1 (PTS) | bullseye (security) | 6.1.174-1~deb11u1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| linux | source | bullseye | 5.10.234-1 | |||
| linux | source | bookworm | 6.1.129-1 | |||
| linux | source | (unstable) | 6.12.15-1 | |||
| linux-6.1 | source | bullseye | 6.1.129-1~deb11u1 | DLA-4102-1 |
Notes
https://git.kernel.org/linus/5f397409f8ee5bc82901eeaf799e1cbc4f8edcf1 (6.14-rc1)
Apply commands
https://git.kernel.org/linus/5f397409f8ee5bc82901eeaf799e1cbc4f8edcf1 (6.14-rc1)OS impact
Linux kernel Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | 5.4.291 |
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 6.12.15-1 |
| sid | Fixed | 6.12.15-1 |
| forky | Fixed | 6.12.15-1 |
| bullseye | Fixed | 5.10.234-1 |
| bookworm | Fixed | 6.1.129-1 |
Red Hat Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
References
- https://access.redhat.com/errata/RHSA-2025:6966
- https://git.kernel.org/stable/c/245d48c1ba3e7a1779c2f4cbc6f581ddc8a78e22
- https://git.kernel.org/stable/c/297ce7f544aa675b0d136d788cad0710cdfb0785
- https://git.kernel.org/stable/c/49c0d55d59662430f1829ae85b969619573d0fa1
- https://git.kernel.org/stable/c/5f397409f8ee5bc82901eeaf799e1cbc4f8edcf1
- https://git.kernel.org/stable/c/691218a50c3139f7f57ffa79fb89d932eda9571e
- https://git.kernel.org/stable/c/8e605f580a97530e5a3583beea458a3fa4cbefbd
- https://git.kernel.org/stable/c/a9a7672fc1a0fe18502493936ccb06413ab89ea6
- https://git.kernel.org/stable/c/cf601a24120c674cd7c907ea695f92617af6abd0
- https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
- https://cert-portal.siemens.com/productcert/html/ssa-265688.html
- https://www.suse.com/security/cve/CVE-2024-58009.html
- https://security-tracker.debian.org/tracker/CVE-2024-58009
CWEs
CWE-476
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.