CVE-2024-50078 in Linux
Summary
by MITRE • 10/29/2024
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Call iso_exit() on module unload
If iso_init() has been called, iso_exit() must be called on module unload. Without that, the struct proto that iso_init() registered with proto_register() becomes invalid, which could cause unpredictable problems later. In my case, with CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION enabled, loading the module again usually triggers this BUG():
list_add corruption. next->prev should be prev (ffffffffb5355fd0), but was 0000000000000068. (next=ffffffffc0a010d0). ------------[ cut here ]------------
kernel BUG at lib/list_debug.c:29! Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI
CPU: 1 PID: 4159 Comm: modprobe Not tainted 6.10.11-4+bt2-ao-desktop #1 RIP: 0010:__list_add_valid_or_report+0x61/0xa0 ... __list_add_valid_or_report+0x61/0xa0 proto_register+0x299/0x320 hci_sock_init+0x16/0xc0 [bluetooth]
bt_init+0x68/0xd0 [bluetooth]
__pfx_bt_init+0x10/0x10 [bluetooth]
do_one_initcall+0x80/0x2f0 do_init_module+0x8b/0x230 __do_sys_init_module+0x15f/0x190 do_syscall_64+0x68/0x110 ...
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/02/2025
This vulnerability exists within the Linux kernel's bluetooth subsystem where improper module cleanup leads to critical data structure corruption. The issue manifests when the bluetooth module is unloaded without properly calling the iso_exit() function even after iso_init() has been invoked during initialization. This fundamental flaw creates a state where the protocol registration structure remains in an inconsistent condition, potentially causing severe system instability and unpredictable behavior throughout the kernel's operation.
The technical root cause stems from a missing cleanup routine in the module's exit path, specifically the failure to invoke iso_exit() when the bluetooth module is unloaded. When iso_init() registers a protocol structure with proto_register(), it establishes entries within kernel data structures that must be properly cleaned up during module termination. Without the corresponding iso_exit() call, these protocol entries become orphaned and invalid, creating a dangling reference that corrupts internal kernel lists. The vulnerability specifically targets the kernel's list management system where the corrupted list structure triggers immediate system panic conditions.
The operational impact of this vulnerability extends beyond simple module loading failures to encompass potential system crashes and data corruption scenarios. When CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION are enabled, the kernel's defensive mechanisms detect the corrupted list structure and immediately trigger a kernel BUG, as demonstrated in the provided stack trace. The error message shows list_add corruption where next->prev pointers become invalid, indicating that kernel's list integrity checking has detected a fundamental data structure violation. This corruption typically occurs during subsequent module loading attempts, making the system unstable and potentially causing complete system crashes.
This vulnerability aligns with CWE-682, which addresses incorrect arithmetic operations and improper handling of data structures, and represents a classic case of resource management failure within kernel space. The ATT&CK framework categorizes this under T1068, which involves privilege escalation through local exploitation, as the vulnerability can be leveraged to cause system instability and potentially gain elevated privileges through kernel memory corruption. The flaw also connects to T1499, which covers network denial of service attacks, as the corrupted protocol handling could be exploited to disrupt bluetooth services and potentially affect broader system connectivity. The vulnerability demonstrates a fundamental lack of proper module lifecycle management, where initialization and cleanup routines are not symmetrically implemented, creating persistent kernel state corruption that affects system reliability.
The recommended mitigations include ensuring that all module initialization functions have corresponding cleanup functions, implementing proper error handling during module loading to prevent partial initialization states, and enforcing strict verification of module lifecycle management. System administrators should update to kernel versions that include the patched implementation where iso_exit() is properly called during module unload operations. Additionally, monitoring for kernel BUG messages related to list corruption and implementing proper module loading/unloading sequences can help detect and prevent exploitation of this vulnerability. Organizations should also consider disabling unnecessary bluetooth modules when not actively required and implementing robust kernel hardening configurations to limit the potential impact of such vulnerabilities.