CVE-2022-3619

2022-12-1610:35:24

redhat.com

access.redhat.com

linux kernel

l2cap bluetooth

memory leak flaw

malicious packets

system crash

mitigation

operating system

hardware level.

4.3 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.001 Low

EPSS

Percentile

24.0%

JSON

A memory leak flaw was found in the Linux kernel’s L2CAP bluetooth functionality. This issue occurs when a user generates malicious packets, triggering the l2cap_recv_acldata function. This flaw allows a local or bluetooth connection user to potentially crash the system.

Mitigation

To mitigate these vulnerabilities on the operating system level, disable the Bluetooth functionality via blocklisting kernel modules in the Linux kernel. The kernel modules can be prevented from being loaded by using system-wide modprobe rules. Instructions on how to disable Bluetooth modules are available on the customer portal at <https://access.redhat.com/solutions/268293>.

Alternatively, bluetooth can be disabled within the hardware or at the BIOS level, which will also provide effective mitigation as the kernel will not detect Bluetooth hardware on the system.