|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: DUPLICATE: CVE-2024-21803: kernel: bluetooth: use-after-free vulnerability in af_bluetooth.c | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | Joey Lee <jlee> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | abergmann, jack, meissner |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/392519/ | ||
| Whiteboard: | |||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
SMASH SMASH
2024-01-30 13:36:18 UTC
The OpenAnolis Bugzilla report is currently still private. No details about the underlying problem. Furthermore the NIST CVE description is mentioning this problem as "Local Execution of Code", but the CVSS vector and score is currently set to LOW. Base Score: 3.5 LOW Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L Without a direct understanding of the issue, we cannot set a SUSE CVSSv3.1 score right now. Joey, I guess bluetooth is going to end up on your plate... If we can find out what this is all about :) Did not see kernel patch on upstream yet. The CVE entry has one more hidden detail.
"title": "Possible UAF in bt_accept_poll in Linux kernel",
although there is no obvious UAF to see there.
I also emailed the contact address .
I filed a dispute with Mitre, as this seems to be a duplicate: https://patchwork.kernel.org/project/bluetooth/patch/20231209105518.GA408904@v4bel-B760M-AORUS-ELITE-AX/#25630326 |