CVE-2024-53237

CVSS 3.1 Score 7.8 of 10 (high)

Details

Published Dec 27, 2024
Updated: Jan 14, 2025
CWE ID 416

Summary

CVE-2024-53237 is a vulnerability affecting the Linux kernel's Bluetooth subsystem. It involves a use-after-free issue in the function device_for_each_child(). The flaw allows a task, specifically "kbnepd bnep0/4980", to read memory that was previously allocated but later freed. The CPU and UID are listed as 0, and the affected kernel version is 6.12.0-rc4-00161-gae90f6a6170d. A race condition exists where the device may be freed before the underlying reference counter drops to zero, leading to a potential dangling pointer situation. To mitigate this, the recommendation is to reparent the device to NULL explicitly when its underlying reference counter is greater than one before deleting the parent controller device.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share