CVE-2023-51779

7.0 HIGH

📋 TL;DR

This vulnerability in the Linux kernel's Bluetooth subsystem allows a local attacker to trigger a use-after-free condition through a race condition in bt_sock_ioctl. This can potentially lead to privilege escalation or system crashes. Any Linux system with Bluetooth enabled and running kernel versions up to 6.6.8 is affected.

💻 Affected Systems

Products:

• Linux kernel

Versions: All versions through 6.6.8

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable if Bluetooth subsystem is enabled and accessible. Systems without Bluetooth hardware or with Bluetooth disabled are not vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to root, allowing complete system compromise and potential persistence mechanisms.

🟠

Likely Case

Kernel panic or system crash leading to denial of service, with potential for limited privilege escalation in specific configurations.

🟢

If Mitigated

Minimal impact if Bluetooth is disabled or proper access controls restrict local user privileges.

🌐 Internet-Facing: LOW - Requires local access to the system, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Local attackers on multi-user systems or compromised low-privilege accounts could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and race condition triggering, making exploitation somewhat complex but feasible for skilled attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 6.6.9 and later, or distributions with backported fixes

Vendor Advisory: https://github.com/torvalds/linux/commit/2e07e8348ea454615e268222ae3fc240421be768

Restart Required: Yes

Instructions:

1. Update kernel to version 6.6.9 or later. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable Bluetooth

linux

Completely disable Bluetooth subsystem to prevent exploitation

Copy

sudo systemctl stop bluetooth
sudo systemctl disable bluetooth
sudo modprobe -r btusb bluetooth

Restrict Bluetooth access

linux

Use kernel capabilities or SELinux/AppArmor to restrict access to Bluetooth sockets

Copy

sudo setcap -r /usr/bin/bluetoothctl
sudo chmod 750 /var/run/bluetooth

🧯 If You Can't Patch

• Disable Bluetooth subsystem completely if not required
• Implement strict access controls to limit which users can access Bluetooth functionality

🔍 How to Verify

Check if Vulnerable:

Copy

Check kernel version: uname -r. If version is 6.6.8 or earlier, system is vulnerable if Bluetooth is enabled.

Check Version:

Copy

uname -r

Verify Fix Applied:

Copy

After patching, verify kernel version is 6.6.9 or later with uname -r, and check that Bluetooth still functions if needed.

📡 Detection & Monitoring

Log Indicators:

• Kernel oops messages in /var/log/kern.log or dmesg
• Bluetooth subsystem crashes
• Unexpected privilege escalation attempts

Network Indicators:

• None - local exploit only

SIEM Query:

Copy

source="kernel" AND ("oops" OR "use-after-free" OR "bt_sock")

📊 Metadata

CVE ID: CVE-2023-51779

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: February 29, 2024

Last Updated: November 21, 2024

🔗 References

• https://github.com/torvalds/linux/commit/2e07e8348ea454615e268222ae3fc240421be768
• https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html
• https://github.com/torvalds/linux/commit/2e07e8348ea454615e268222ae3fc240421be768
• https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51779, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)

CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)

CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)