CVE-2022-50233 in Linux
Summary
by MITRE • 08/09/2025
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: eir: Fix using strlen with hdev->{dev_name,short_name}
Both dev_name and short_name are not guaranteed to be NULL terminated so this instead use strnlen and then attempt to determine if the resulting string needs to be truncated or not.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/30/2026
This vulnerability exists within the Linux kernel's Bluetooth subsystem, specifically in the Extended Inquiry Response (EIR) handling code. The issue stems from improper string length calculation when processing device name and short name fields during Bluetooth discovery operations. The flaw occurs in the bluetooth eir implementation where the kernel attempts to use strlen function directly on character buffers that are not guaranteed to be null-terminated. This represents a classic buffer overflow risk that could potentially lead to memory corruption or information disclosure.
The technical implementation flaw arises from the assumption that dev_name and short_name fields are always null-terminated character strings. These fields are part of the Bluetooth device structure and may contain arbitrary data that does not necessarily end with a null character. When strlen is applied to such non-null-terminated strings, it continues reading memory until it encounters a zero byte, potentially reading beyond the allocated buffer boundaries. This vulnerability maps to CWE-121, which describes stack-based buffer overflow conditions, and CWE-122, which covers heap-based buffer overflow scenarios. The improper use of string functions without proper bounds checking creates an attack surface where malicious Bluetooth devices could craft specially formatted EIR data to trigger memory corruption.
The operational impact of this vulnerability extends beyond simple memory corruption as it affects the stability and reliability of Bluetooth services on Linux systems. When exploited, this vulnerability could cause system crashes, leading to denial of service conditions for Bluetooth functionality. The attack vector requires an attacker to be within range of a vulnerable device and to be able to establish a Bluetooth connection with it, making this particularly concerning for IoT devices and mobile platforms where Bluetooth is extensively used. From an adversarial perspective, this vulnerability aligns with ATT&CK technique T1059.007 for command and scripting interpreter and T1489 for denial of service, as it can be leveraged to disrupt Bluetooth services and potentially escalate privileges through system instability.
The fix implemented addresses this by replacing the strlen function calls with strnlen, which provides a maximum length parameter to prevent reading beyond buffer boundaries. Additionally, the code now includes logic to determine if the resulting string needs truncation based on the actual data length. This remediation approach follows secure coding practices recommended in the CERT C Secure Coding Standard, specifically the STR30-C rule which advises using strnlen instead of strlen when dealing with potentially unbounded strings. The solution effectively mitigates the risk by ensuring that string operations are bounded and safe, preventing the potential for memory corruption while maintaining the intended functionality of Bluetooth device discovery and advertising.