CVE-2024-26801 in Linux
Summary
by MITRE • 04/04/2024
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Avoid potential use-after-free in hci_error_reset
While handling the HCI_EV_HARDWARE_ERROR event, if the underlying BT controller is not responding, the GPIO reset mechanism would free the hci_dev and lead to a use-after-free in hci_error_reset.
Here's the call trace observed on a ChromeOS device with Intel AX201: queue_work_on+0x3e/0x6c __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth ]
? init_wait_entry+0x31/0x31 __hci_cmd_sync+0x16/0x20 [bluetooth ]
hci_error_reset+0x4f/0xa4 [bluetooth ]
process_one_work+0x1d8/0x33f worker_thread+0x21b/0x373 kthread+0x13a/0x152 ? pr_cont_work+0x54/0x54 ? kthread_blkcg+0x31/0x31 ret_from_fork+0x1f/0x30
This patch holds the reference count on the hci_dev while processing a HCI_EV_HARDWARE_ERROR event to avoid potential crash.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/04/2025
The vulnerability CVE-2024-26801 represents a critical use-after-free condition within the Linux kernel's Bluetooth subsystem, specifically affecting the HCI (Host Controller Interface) error handling mechanism. This flaw manifests when the system processes the HCI_EV_HARDWARE_ERROR event, which occurs when a Bluetooth controller fails to respond to commands. The issue is particularly significant in embedded systems and mobile devices where Bluetooth functionality is integral to device operation, including ChromeOS devices equipped with Intel AX201 wireless chips.
The technical root cause of this vulnerability lies in the improper management of reference counting for the hci_dev structure during error recovery operations. When a hardware error event is detected, the kernel attempts to reset the Bluetooth controller through GPIO mechanisms, which involves freeing the hci_dev structure. However, if the reset process completes before all references to the structure are cleared, subsequent operations may attempt to access freed memory, leading to unpredictable behavior and potential system crashes. This use-after-free condition directly maps to CWE-416, which classifies improper cleanup of dynamically allocated memory resources.
The operational impact of this vulnerability extends beyond simple system instability, as it creates potential attack vectors for privilege escalation and denial-of-service scenarios. The call trace demonstrates a clear execution path where queue_work_on schedules work items, leading to hci_error_reset execution, which ultimately results in accessing freed memory. The vulnerability affects devices running Linux kernel versions where the specific patch has not been applied, making it particularly dangerous for production environments. This flaw aligns with ATT&CK technique T1068, which covers 'Exploitation for Privilege Escalation' and T1499, covering 'Endpoint Denial of Service', as the system crash could be leveraged to disrupt device functionality or potentially gain elevated privileges.
Mitigation strategies for CVE-2024-26801 require immediate kernel updates to implement the referenced patch that maintains proper reference counting during HCI error handling operations. System administrators should prioritize patch deployment across all affected devices, particularly those in enterprise environments where Bluetooth connectivity is critical. The fix addresses the underlying issue by ensuring the hci_dev reference count remains intact during the processing of HCI_EV_HARDWARE_ERROR events, preventing premature deallocation of resources. Additional monitoring should be implemented to detect anomalous Bluetooth error conditions that might indicate exploitation attempts, while security teams should review system logs for patterns consistent with the described call trace sequence. Organizations utilizing ChromeOS devices with Intel AX201 chips should verify patch compliance and consider implementing network segmentation to limit potential attack surface exposure.