Login Sign Up

CVE-2022-49111

7.8 HIGH
Denial of Service

📋 TL;DR

This is a use-after-free vulnerability in the Linux kernel's Bluetooth subsystem that allows an attacker to cause memory corruption and potentially execute arbitrary code or crash the system. It affects Linux systems with Bluetooth enabled, particularly when AMP (Alternate MAC/PHY) links are used for high-speed Bluetooth connections.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Kernel versions before the fix commits (specific versions vary by distribution, but generally 5.17-rc5 and earlier affected)
Operating Systems: Linux distributions with vulnerable kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Bluetooth to be enabled and AMP (Alternate MAC/PHY) link functionality to be triggered. Many systems have Bluetooth disabled by default in server environments.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, kernel panic causing denial of service, or privilege escalation to kernel mode.

🟠

Likely Case

System crash or kernel panic resulting in denial of service, potentially requiring physical reboot of affected systems.

🟢

If Mitigated

Limited impact if Bluetooth is disabled or AMP links are not used, though the vulnerability exists in the kernel code.

🌐 Internet-Facing: LOW - Bluetooth typically has limited range (10-100 meters) and requires proximity, though Bluetooth over IP could increase risk.
🏢 Internal Only: MEDIUM - Internal attackers with Bluetooth access could exploit this, but requires proximity to target systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires Bluetooth access and triggering specific AMP link disconnection events. The use-after-free occurs in hci_send_acl when handling HCI_EV_DISCONN_PHY_LINK_COMPLETE events.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits: 2cc803804ec9a296b3156855d6c8c4ca1c6b84be, 3803d896ddd97c7c16689a5381c0960040727647, 4da302b90b96c309987eb9b37c8547f939f042d2, 643a6c26bd32e339d00ad97b8822b6db009e803c, 684e505406abaeabe0058e9776f9210bf2747953

Vendor Advisory: https://git.kernel.org/stable/c/2cc803804ec9a296b3156855d6c8c4ca1c6b84be

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. Check your distribution's security advisories for specific patched kernel versions. 3. Reboot system after kernel update to load patched kernel.

🔧 Temporary Workarounds

Disable Bluetooth

Linux

Completely disable Bluetooth functionality to prevent exploitation

systemctl stop bluetooth
systemctl disable bluetooth
rfkill block bluetooth

Disable AMP Links

Linux

Prevent AMP (Alternate MAC/PHY) link usage if Bluetooth must remain enabled

echo 0 > /sys/module/bluetooth/parameters/amp
Add 'bluetooth.amp=0' to kernel boot parameters

🧯 If You Can't Patch

  • Disable Bluetooth completely on affected systems
  • Implement network segmentation to isolate Bluetooth-enabled systems
  • Monitor for Bluetooth-related crashes or unusual activity

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if it contains the fix commits: uname -r and examine kernel source or distribution security advisories

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated to one containing the fix commits, and check that Bluetooth functionality still works properly

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • Bluetooth subsystem crashes in dmesg
  • KASAN reports of use-after-free in hci_send_acl

Network Indicators:

  • Unusual Bluetooth connection attempts
  • Multiple AMP link establishment/disconnection events

SIEM Query:

source="kernel" AND ("KASAN" OR "use-after-free" OR "hci_send_acl" OR "Bluetooth crash")

📊 Metadata

CVE ID: CVE-2022-49111
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
EPSS Score: 0.04% exploit probability (11.6th percentile)
Published: February 26, 2025
Last Updated: March 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-49111, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)