CVE-2024-35856
📋 TL;DR
This CVE describes a double-free vulnerability in the Linux kernel's Bluetooth driver for MediaTek chipsets. When a Bluetooth device coredump fails, the kernel attempts to free the same memory buffer twice, which can lead to memory corruption and system instability. This affects Linux systems with MediaTek Bluetooth hardware and the vulnerable kernel driver.
💻 Affected Systems
- Linux kernel with MediaTek Bluetooth driver (btusb)
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic, system crash, or potential privilege escalation if an attacker can trigger the double-free and control memory allocation patterns to execute arbitrary code.
Likely Case
System instability, kernel crashes, or denial of service when Bluetooth coredump operations fail under specific conditions.
If Mitigated
Minimal impact if Bluetooth coredump functionality is not used or if the system has memory corruption protections enabled.
🎯 Exploit Status
Exploitation requires triggering specific error conditions in Bluetooth coredump handling and controlling memory allocation patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in kernel commits: 18bdb386a1a30e7a3d7732a98e45e69cf6b5710d, 80dfef128cb9f1b1ef67c0fe8c8deb4ea7ad30c1, e20093c741d8da9f6390dd45d75b779861547035
Vendor Advisory: https://git.kernel.org/stable/c/18bdb386a1a30e7a3d7732a98e45e69cf6b5710d
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Reboot system to load new kernel. 3. Verify the patch is applied by checking kernel version or commit hash.
🔧 Temporary Workarounds
Disable Bluetooth coredump functionality
linuxPrevent the vulnerable code path from being triggered by disabling Bluetooth coredump features
echo 0 > /sys/kernel/debug/bluetooth/hci*/coredump
Unload MediaTek Bluetooth driver
linuxRemove the vulnerable driver if Bluetooth is not needed
modprobe -r btusb
🧯 If You Can't Patch
- Restrict Bluetooth access to trusted users only
- Implement strict access controls and monitoring for Bluetooth-related system calls
🔍 How to Verify
Check if Vulnerable:
Check if system has MediaTek Bluetooth hardware and vulnerable kernel version: lspci | grep -i mediatek && uname -rCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits or check if the double-free code path has been removed📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- Bluetooth subsystem crash logs
- Memory corruption warnings in dmesg
Network Indicators:
- Unusual Bluetooth connection attempts triggering coredump
SIEM Query:
source="kernel" AND ("double free" OR "panic" OR "Oops") AND "bluetooth"🔗 References
- https://git.kernel.org/stable/c/18bdb386a1a30e7a3d7732a98e45e69cf6b5710d
- https://git.kernel.org/stable/c/80dfef128cb9f1b1ef67c0fe8c8deb4ea7ad30c1
- https://git.kernel.org/stable/c/e20093c741d8da9f6390dd45d75b779861547035
- https://git.kernel.org/stable/c/18bdb386a1a30e7a3d7732a98e45e69cf6b5710d
- https://git.kernel.org/stable/c/80dfef128cb9f1b1ef67c0fe8c8deb4ea7ad30c1
- https://git.kernel.org/stable/c/e20093c741d8da9f6390dd45d75b779861547035
