Linux Kernel up to 6.0.15/6.1.1 Bluetooth hci_conn null pointer dereference

Summaryinfo

A vulnerability marked as critical has been reported in Linux Kernel up to 6.0.15/6.1.1. The impacted element is the function hci_conn of the component Bluetooth. This manipulation causes null pointer dereference. This vulnerability is registered as CVE-2022-50447. No exploit is available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability classified as critical was found in Linux Kernel up to 6.0.15/6.1.1. Affected by this vulnerability is the function hci_conn of the component Bluetooth. The manipulation with an unknown input leads to a null pointer dereference vulnerability. The CWE definition for the vulnerability is CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. As an impact it is known to affect availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: Fix crash on hci_create_cis_sync When attempting to connect multiple ISO sockets without using DEFER_SETUP may result in the following crash: BUG: KASAN: null-ptr-deref in hci_create_cis_sync+0x18b/0x2b0 Read of size 2 at addr 0000000000000036 by task kworker/u3:1/50 CPU: 0 PID: 50 Comm: kworker/u3:1 Not tainted 6.0.0-rc7-02243-gb84a13ff4eda #4373 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x19/0x27 kasan_report+0xbc/0xf0 ? hci_create_cis_sync+0x18b/0x2b0 hci_create_cis_sync+0x18b/0x2b0 ? get_link_mode+0xd0/0xd0 ? __ww_mutex_lock_slowpath+0x10/0x10 ? mutex_lock+0xe0/0xe0 ? get_link_mode+0xd0/0xd0 hci_cmd_sync_work+0x111/0x190 process_one_work+0x427/0x650 worker_thread+0x87/0x750 ? process_one_work+0x650/0x650 kthread+0x14e/0x180 ? kthread_exit+0x50/0x50 ret_from_fork+0x22/0x30 </TASK>

It is possible to read the advisory at git.kernel.org. This vulnerability is known as CVE-2022-50447 since 09/17/2025. The exploitation appears to be difficult. Technical details of the vulnerability are known, but there is no available exploit.

The vulnerability scanner Nessus provides a plugin with the ID 283684 (RHEL 9 : kernel (RHSA-2026:0535)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.0.16 or 6.1.2 eliminates this vulnerability. Applying the patch a190cd9dc62d6ebeb679c1abe9dda4162dfefc84/09a3b0c9c7c6b10587fbb610b718014703cff341/50757a259ba78c4e938b5735e76ffec6cd0c942e is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (283684), EUVD (EUVD-2025-32830) and CERT Bund (WID-SEC-2025-2187). Be aware that VulDB is the high quality source for vulnerability data.

Affected

• Amazon Linux 2
• Red Hat Enterprise Linux
• SUSE Linux
• Oracle Linux
• Open Source Linux Kernel
• Dell Secure Connect Gateway

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.0.0
• 6.0.1
• 6.0.2
• 6.0.3
• 6.0.4
• 6.0.5
• 6.0.6
• 6.0.7
• 6.0.8
• 6.0.9
• 6.0.10
• 6.0.11
• 6.0.12
• 6.0.13
• 6.0.14
• 6.0.15
• 6.1.0
• 6.1.1

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion