CVE-2023-53762: Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync
Use-after-free can occur in hci_disconnect_all_sync if a connection is
deleted by concurrent processing of a controller event.
To prevent this the code now tries to iterate over the list backwards
to ensure the links are cleanup before its parents, also it no longer
relies on a cursor, instead it always uses the last element since
hci_abort_conn_sync is guaranteed to call hci_conn_del.
UAF crash log:
==================================================================
BUG: KASAN: slab-use-after-free in hci_set_powered_sync
(net/bluetooth/hci_sync.c:5424) [bluetooth]
Read of size 8 at addr ffff888009d9c000 by task kworker/u9:0/124
CPU: 0 PID: 124 Comm: kworker/u9:0 Tainted: G W
6.5.0-rc1+ #10
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.16.2-1.fc38 04/01/2014
Workqueue: hci0 hci_cmd_sync_work [bluetooth]
Call Trace:
<TASK>
dump_stack_lvl+0x5b/0x90
print_report+0xcf/0x670
? __virt_addr_valid+0xdd/0x160
? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]
kasan_report+0xa6/0xe0
? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]
? __pfx_set_powered_sync+0x10/0x10 [bluetooth]
hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]
? __pfx_hci_set_powered_sync+0x10/0x10 [bluetooth]
? __pfx_lock_release+0x10/0x10
? __pfx_set_powered_sync+0x10/0x10 [bluetooth]
hci_cmd_sync_work+0x137/0x220 [bluetooth]
process_one_work+0x526/0x9d0
? __pfx_process_one_work+0x10/0x10
? __pfx_do_raw_spin_lock+0x10/0x10
? mark_held_locks+0x1a/0x90
worker_thread+0x92/0x630
? __pfx_worker_thread+0x10/0x10
kthread+0x196/0x1e0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2c/0x50
</TASK>
Allocated by task 1782:
kasan_save_stack+0x33/0x60
kasan_set_track+0x25/0x30
__kasan_kmalloc+0x8f/0xa0
hci_conn_add+0xa5/0xa80 [bluetooth]
hci_bind_cis+0x881/0x9b0 [bluetooth]
iso_connect_cis+0x121/0x520 [bluetooth]
iso_sock_connect+0x3f6/0x790 [bluetooth]
__sys_connect+0x109/0x130
__x64_sys_connect+0x40/0x50
do_syscall_64+0x60/0x90
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Freed by task 695:
kasan_save_stack+0x33/0x60
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2b/0x50
__kasan_slab_free+0x10a/0x180
__kmem_cache_free+0x14d/0x2e0
device_release+0x5d/0xf0
kobject_put+0xdf/0x270
hci_disconn_complete_evt+0x274/0x3a0 [bluetooth]
hci_event_packet+0x579/0x7e0 [bluetooth]
hci_rx_work+0x287/0xaa0 [bluetooth]
process_one_work+0x526/0x9d0
worker_thread+0x92/0x630
kthread+0x196/0x1e0
ret_from_fork+0x2c/0x50
==================================================================
Security readout for executives and security teams
Plain-English summary
CVE-2023-53762 is a Linux kernel Bluetooth memory-safety bug. A race can leave kernel code using a connection object after it was freed, causing a KASAN-confirmed use-after-free crash. The sources show kernel fixes, but no CVSS score, KEV listing, or active exploitation evidence.
Executive priority
Treat as a targeted kernel-maintenance item, not an emergency based on current evidence. Patch Bluetooth-enabled Linux fleets during normal security cycles, faster for endpoints, appliances, or lab systems where Bluetooth is active.
Technical view
The issue is in Linux Bluetooth hci_sync, specifically hci_disconnect_all_sync. Concurrent controller event handling can delete a connection while disconnect cleanup still references it. The fix changes list traversal and avoids relying on a cursor, using the last element because hci_abort_conn_sync deletes the connection.
Likely exposure
Exposure appears limited to Linux systems running affected kernel builds with Bluetooth enabled or in use. The bundle lists Linux kernel versions including 5.17, 6.4.16, 6.5.3, and 6.6, but the version-range semantics are not fully clear.
Exploitation context
No source in the bundle reports public exploitation, weaponized exploit code, or CISA KEV inclusion. The provided evidence is a kernel crash trace and stable kernel fixes. Impact beyond crash or denial of service is not established in the supplied sources.
Researcher notes
The source evidence points to a concurrency UAF in Bluetooth connection cleanup. The crash path includes hci_set_powered_sync, hci_disconn_complete_evt, and ISO/CIS connection allocation. Version applicability should be confirmed against upstream stable commits or distribution backports.
Mitigation direction
Apply vendor kernel updates containing the referenced stable fixes.
Prioritize systems where Bluetooth is enabled, exposed, or operationally unnecessary.
If patching is delayed, consider disabling Bluetooth where business operations allow.
Track Linux distribution advisories for exact fixed package versions.
Validation and detection
Inventory Linux hosts and record kernel versions and Bluetooth enablement.
Map running kernels against vendor advisories and referenced stable commits.
Check whether Bluetooth modules or controllers are active on in-scope systems.
Confirm patched hosts are running the updated kernel after reboot.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-53762 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.