CVE-2022-48947 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix u8 overflow
By keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases multiple times and eventually it will wrap around the maximum number (i.e., 255). This patch prevents this by adding a boundary check with L2CAP_MAX_CONF_RSP
Btmon log: Bluetooth monitor ver 5.64 = Note: Linux version 6.1.0-rc2 (x86_64) 0.264594 = Note: Bluetooth subsystem version 2.22 0.264636 @ MGMT Open: btmon (privileged) version 1.22 {0x0001} 0.272191
= New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0) [hci0] 13.877604
@ RAW Open: 9496 (privileged) version 2.22 {0x0002} 13.890741
= Open Index: 00:00:00:00:00:00 [hci0] 13.900426
(...) > ACL Data RX: Handle 200 flags 0x00 dlen 1033 #32 [hci0] 14.273106
invalid packet size (12 != 1033) 08 00 01 00 02 01 04 00 01 10 ff ff ............ > ACL Data RX: Handle 200 flags 0x00 dlen 1547 #33 [hci0] 14.273561
invalid packet size (14 != 1547) 0a 00 01 00 04 01 06 00 40 00 00 00 00 00 ........@..... > ACL Data RX: Handle 200 flags 0x00 dlen 2061 #34 [hci0] 14.274390
invalid packet size (16 != 2061) 0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04 ........@....... > ACL Data RX: Handle 200 flags 0x00 dlen 2061 #35 [hci0] 14.274932
invalid packet size (16 != 2061) 0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00 ........@....... = bluetoothd: Bluetooth daemon 5.43 14.401828 > ACL Data RX: Handle 200 flags 0x00 dlen 1033 #36 [hci0] 14.275753
invalid packet size (12 != 1033) 08 00 01 00 04 01 04 00 40 00 00 00 ........@...
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/18/2026
The vulnerability CVE-2022-48947 represents a critical integer overflow flaw within the Linux kernel's Bluetooth implementation, specifically affecting the L2CAP (Logical Link Control and Adaptation Protocol) layer. This issue manifests as an unsigned 8-bit integer overflow in the configuration response counter mechanism, where the variable chan->num_conf_rsp increments repeatedly with each L2CAP_CONF_REQ packet received. The flaw stems from the absence of boundary checks during this counter incrementation process, allowing the value to wrap around from 255 back to 0 once the maximum unsigned 8-bit value is exceeded. This vulnerability falls under the CWE-190 category of Integer Overflow or Wraparound, which is a well-documented weakness in software systems where arithmetic operations exceed the maximum representable value of the data type. The operational impact of this vulnerability is significant as it can lead to unpredictable behavior in the Bluetooth connection management system, potentially enabling denial of service conditions or more severe exploitation scenarios.
The technical exploitation of this vulnerability occurs through a specific sequence of L2CAP configuration requests that continuously increment the response counter beyond its 8-bit capacity. According to the btmon logs provided, attackers can trigger this condition by sending multiple L2CAP_CONF_REQ packets to a target device, causing the num_conf_rsp counter to increment until it wraps around. The logs show a pattern of increasing packet sizes and malformed data transmission that indicates the system's attempt to process these malformed packets. The kernel's handling of these configuration requests lacks proper validation of the counter value against the defined maximum threshold L2CAP_MAX_CONF_RSP, which is designed to prevent such overflows. This vulnerability directly relates to the ATT&CK technique T1070.004 which involves the manipulation of information systems through overflow conditions, and the broader category of privilege escalation attacks that can leverage kernel-level flaws. The issue demonstrates a classic buffer management problem where the system fails to properly validate the range of counter values, creating a potential entry point for attackers to disrupt normal Bluetooth operations.
The operational impact of this vulnerability extends beyond simple denial of service scenarios, as it can potentially be leveraged to cause more serious system instability or even privilege escalation within the kernel context. When the counter wraps around from 255 to 0, the Bluetooth subsystem may misinterpret the configuration state, leading to connection failures, data corruption, or system crashes. The vulnerability affects any Linux system running kernel versions that include the affected Bluetooth L2CAP implementation, particularly those supporting Bluetooth Low Energy and classic Bluetooth protocols. The attack vector requires only the ability to send L2CAP configuration packets to the target device, making it relatively easy to exploit in environments where Bluetooth communication is active. Security professionals should note that this vulnerability operates at the kernel level, meaning that successful exploitation could potentially allow attackers to gain elevated privileges or cause persistent system disruptions. The patch implemented addresses this by introducing boundary checks that prevent the counter from exceeding the defined maximum value, ensuring that the configuration response process remains within predictable limits. This fix aligns with the principle of least privilege and input validation, which are fundamental security practices recommended by various cybersecurity frameworks including the NIST Cybersecurity Framework and ISO 27001 standards. The vulnerability demonstrates the critical importance of proper integer overflow protection in kernel space code, where such flaws can have far-reaching consequences for system integrity and availability.