The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2022-42896

CVE-2022-42896: Linux Kernel Bluetooth UAF Vulnerability

CVE-2022-42896 is a use-after-free vulnerability in Linux Kernel's Bluetooth implementation that enables remote code execution and memory leaks. This article covers the technical details, affected versions, and mitigation.

Published: February 18, 2026

CVE-2022-42896 Overview

CVE-2022-42896 identifies critical use-after-free vulnerabilities in the Linux kernel's Bluetooth L2CAP (Logical Link Control and Adaptation Protocol) subsystem. The vulnerabilities exist within the l2cap_connect and l2cap_le_connect_req functions located in net/bluetooth/l2cap_core.c. These flaws can be exploited by remote attackers within Bluetooth proximity to achieve code execution or leak sensitive kernel memory.

The vulnerability allows an attacker with adjacent network access via Bluetooth to potentially execute arbitrary code or extract confidential kernel memory contents. This represents a significant security risk for systems with Bluetooth enabled and exposed to untrusted environments.

Critical Impact

Remote attackers within Bluetooth range can exploit these use-after-free conditions to execute arbitrary code or leak kernel memory, potentially leading to complete system compromise without requiring authentication or user interaction.

Affected Products

  • Linux Kernel (multiple versions with vulnerable Bluetooth L2CAP implementation)
  • Systems running Linux with Bluetooth functionality enabled
  • Devices using the affected net/bluetooth/l2cap_core.c implementation

Discovery Timeline

  • 2022-11-23 - CVE CVE-2022-42896 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-42896

Vulnerability Analysis

This vulnerability is classified as CWE-416 (Use After Free), a memory corruption flaw where the application continues to reference memory after it has been freed. In the context of CVE-2022-42896, the Linux kernel's Bluetooth L2CAP implementation improperly handles connection requests, leading to use-after-free conditions in two key functions.

The l2cap_connect and l2cap_le_connect_req functions fail to properly validate incoming connection parameters before processing. Specifically, the vulnerability stems from improper handling of the Protocol/Service Multiplexer (PSM) values during Bluetooth Low Energy credit-based connection requests. When invalid SPSM (Simplified Protocol/Service Multiplexer) values are accepted, the kernel can reference freed memory structures, creating an exploitable condition.

An adjacent attacker within Bluetooth radio range can craft malicious L2CAP connection requests to trigger these use-after-free conditions. Successful exploitation can result in arbitrary code execution within the kernel context or information disclosure through kernel memory leaks.

Root Cause

The root cause is insufficient input validation of the PSM parameter in the L2CAP connection handling code. According to the Bluetooth Core Specification Version 5.3, Volume 3, Part A, the valid range for SPSM values in L2CAP_LE_CREDIT_BASED_CONNECTION_REQ should be 0x0001-0x00ff. The vulnerable code failed to enforce this boundary, accepting invalid or zero PSM values that could lead to improper memory access patterns and use-after-free conditions.

Attack Vector

The attack vector requires adjacent network access via Bluetooth. An attacker must be within Bluetooth radio range of the target device (typically up to 100 meters for Class 1 devices). The attack does not require authentication or user interaction, making it particularly dangerous in public environments or shared workspaces where Bluetooth is commonly enabled.

The attacker can send specially crafted L2CAP connection request packets with invalid SPSM values to trigger the vulnerability. Since Bluetooth operates at the link layer, traditional network-based security controls are ineffective against this attack vector.

c
 	BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
 	       scid, mtu, mps);

+	/* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
+	 * page 1059:
+	 *
+	 * Valid range: 0x0001-0x00ff
+	 *
+	 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
+	 */
+	if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
+		result = L2CAP_CR_LE_BAD_PSM;
+		chan = NULL;
+		goto response;
+	}
+
 	/* Check if we have socket listening on psm */
 	pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
 				 &conn->hcon->dst, LE_LINK);

Source: GitHub Linux Commit

Detection Methods for CVE-2022-42896

Indicators of Compromise

  • Unusual Bluetooth L2CAP connection attempts with malformed or invalid PSM values
  • Kernel crashes or panics related to Bluetooth subsystem memory access violations
  • Unexpected memory access patterns in l2cap_core.c functions observed through kernel debugging
  • System instability following Bluetooth device pairing attempts from unknown devices

Detection Strategies

  • Monitor kernel logs for Bluetooth-related OOPS, panics, or use-after-free warnings in the L2CAP subsystem
  • Deploy endpoint detection solutions capable of monitoring kernel-level Bluetooth activity for anomalies
  • Implement Bluetooth traffic analysis to detect malformed L2CAP connection requests
  • Use kernel address sanitizer (KASAN) in development/testing environments to detect use-after-free conditions

Monitoring Recommendations

  • Enable comprehensive kernel logging for the Bluetooth subsystem (CONFIG_BT_DEBUG)
  • Implement alerting for repeated failed Bluetooth connection attempts from the same MAC address
  • Monitor system stability metrics and correlate any crashes with Bluetooth activity
  • Deploy network security monitoring tools capable of analyzing Bluetooth protocol traffic in enterprise environments

How to Mitigate CVE-2022-42896

Immediate Actions Required

  • Update the Linux kernel to a version containing commit 711f8c3fb3db61897080468586b970c87c61d9e4
  • Disable Bluetooth functionality on systems where it is not required
  • Restrict physical access to high-security systems to limit Bluetooth proximity attacks
  • Implement Bluetooth device whitelisting where supported to reject connections from unknown devices

Patch Information

The vulnerability has been addressed in the official Linux kernel through commit 711f8c3fb3db61897080468586b970c87c61d9e4. This patch adds proper validation of the SPSM range according to the Bluetooth Core Specification Version 5.3, rejecting connection requests with invalid PSM values before they can trigger the use-after-free condition.

Organizations should upgrade to patched kernel versions available through their Linux distribution's security update channels. Refer to the GitHub Linux Commit and Kernel Dance Reference for technical details on the fix.

Workarounds

  • Disable Bluetooth at the kernel level by blacklisting Bluetooth modules (blacklist btusb, blacklist bluetooth)
  • Use hardware Bluetooth disable switches if available on the device
  • Implement network segmentation and physical security controls to limit attacker proximity
  • Deploy endpoint protection solutions with kernel-level monitoring capabilities
bash
# Configuration example - Disable Bluetooth modules
echo "blacklist btusb" >> /etc/modprobe.d/blacklist-bluetooth.conf
echo "blacklist bluetooth" >> /etc/modprobe.d/blacklist-bluetooth.conf
echo "blacklist btrtl" >> /etc/modprobe.d/blacklist-bluetooth.conf
echo "blacklist btbcm" >> /etc/modprobe.d/blacklist-bluetooth.conf
echo "blacklist btintel" >> /etc/modprobe.d/blacklist-bluetooth.conf

# Apply changes
update-initramfs -u
systemctl stop bluetooth
systemctl disable bluetooth

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free
  • Vendor/TechLinux Kernel
  • SeverityHIGH
  • CVSS Score8.8
  • EPSS Probability0.42%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-416
  • Vendor Resources
  • GitHub Linux Commit
  • Kernel Dance Reference
  • Related CVEs
  • CVE-2026-31745: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-43048: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-43049: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-43056: Linux Kernel Use-After-Free Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English