The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2023-28464

CVE-2023-28464: Linux Kernel Use-After-Free Vulnerability

CVE-2023-28464 is a use-after-free vulnerability in the Linux kernel Bluetooth subsystem that may lead to privilege escalation through a double free condition. This article covers technical details, affected versions, and mitigations.

Published: February 4, 2026

CVE-2023-28464 Overview

CVE-2023-28464 is a use-after-free and double free vulnerability in the Linux kernel's Bluetooth subsystem. Specifically, the flaw exists in hci_conn_cleanup within net/bluetooth/hci_conn.c, where improper memory management through calls to hci_dev_put and hci_conn_put can lead to use-after-free conditions observed in hci_conn_hash_flush. This double free vulnerability may be exploited to achieve privilege escalation on affected systems.

Critical Impact

Local attackers with low privileges can potentially exploit this double free vulnerability to escalate privileges, achieving full compromise of system confidentiality, integrity, and availability.

Affected Products

  • Linux Kernel through version 6.2.9 (including 6.1.25, 6.2.12, and 6.3 release candidates)
  • NetApp H300S Firmware
  • NetApp H410C Firmware
  • NetApp H410S Firmware
  • NetApp H500S Firmware
  • NetApp H700S Firmware

Discovery Timeline

  • 2023-03-31 - CVE-2023-28464 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-28464

Vulnerability Analysis

The vulnerability resides in the Bluetooth Host Controller Interface (HCI) connection handling code within the Linux kernel. The hci_conn_cleanup function in net/bluetooth/hci_conn.c improperly manages memory deallocation for HCI connection objects.

When HCI connections are being cleaned up, the function calls both hci_dev_put and hci_conn_put in a sequence that can result in the same memory being freed twice. This double free condition creates a use-after-free scenario that becomes observable during hci_conn_hash_flush operations.

The vulnerability requires local access to exploit, meaning an attacker must have a presence on the target system. However, the privilege requirements are low, making this accessible to unprivileged local users who can interact with the Bluetooth subsystem.

Root Cause

The root cause is improper reference counting and memory management in the HCI connection cleanup path. The hci_conn_cleanup function incorrectly handles the lifecycle of connection objects, calling deallocation functions (hci_dev_put and hci_conn_put) in a manner that leads to double-freeing memory. This represents a CWE-415 (Double Free) weakness where dynamically allocated memory is freed more than once, corrupting the memory allocator's internal data structures.

Attack Vector

The attack vector is local, requiring the attacker to have existing access to the target system. An attacker can trigger this vulnerability by manipulating Bluetooth connection states in a way that causes the vulnerable cleanup path to execute. When the double free occurs, it corrupts kernel heap metadata, which can potentially be leveraged for privilege escalation.

The exploitation path involves:

  1. Establishing or manipulating HCI Bluetooth connections
  2. Triggering the cleanup routine under specific race conditions
  3. Exploiting the corrupted heap state to gain elevated privileges

The vulnerability mechanism involves improper reference counting in the HCI connection cleanup path. When hci_conn_cleanup is invoked, it calls hci_dev_put and hci_conn_put without properly tracking whether the memory has already been released, leading to a double free condition observable in hci_conn_hash_flush. For detailed technical analysis, see the Linux Kernel Mailing List Post and the Openwall OSS Security Discussion.

Detection Methods for CVE-2023-28464

Indicators of Compromise

  • Unexpected kernel crashes or panics related to Bluetooth subsystem operations, particularly involving hci_conn_hash_flush or hci_conn_cleanup
  • Unusual Bluetooth connection activity or manipulation attempts by unprivileged users
  • KASAN (Kernel Address Sanitizer) reports indicating use-after-free or double-free in HCI connection handling code
  • Anomalous privilege escalation events following Bluetooth-related activity

Detection Strategies

  • Deploy kernel auditing tools to monitor for unusual Bluetooth HCI operations, particularly around connection establishment and teardown
  • Enable KASAN in development and testing environments to detect memory corruption issues related to this vulnerability
  • Monitor system logs for kernel warnings or errors related to hci_conn_cleanup, hci_conn_hash_flush, or Bluetooth reference counting
  • Use SentinelOne's behavioral AI to detect privilege escalation attempts following Bluetooth subsystem manipulation

Monitoring Recommendations

  • Implement continuous monitoring of kernel logs for Bluetooth subsystem anomalies using centralized logging solutions
  • Configure alerting for any kernel memory corruption indicators (KASAN, SLUB debugging) in production-critical systems
  • Monitor for unusual local user activity involving Bluetooth device manipulation or HCI socket operations
  • Utilize SentinelOne Singularity platform for real-time detection of exploitation attempts and privilege escalation behaviors

How to Mitigate CVE-2023-28464

Immediate Actions Required

  • Update the Linux kernel to a patched version that addresses the double free issue in hci_conn_cleanup
  • If immediate patching is not possible, consider disabling Bluetooth functionality on affected systems where it is not operationally required
  • Review and restrict local user access to Bluetooth subsystem interfaces on sensitive systems
  • Apply vendor-specific patches for affected NetApp firmware (H300S, H410C, H410S, H500S, H700S)

Patch Information

Patches addressing this vulnerability have been submitted to the Linux kernel. The fix corrects the reference counting logic in hci_conn_cleanup to prevent the double free condition. Users should update to Linux kernel versions newer than 6.2.9 that include the fix, or apply backported patches for their distribution.

For NetApp appliances, refer to the NetApp Security Advisory NTAP-20230517-0004 for firmware updates addressing this vulnerability.

Workarounds

  • Disable Bluetooth functionality system-wide by blacklisting the bluetooth kernel module if Bluetooth is not required for operations
  • Restrict access to Bluetooth interfaces using appropriate user permissions and group membership controls
  • Implement network segmentation to limit exposure of systems with Bluetooth enabled to trusted users only
  • Monitor and audit local user activities related to Bluetooth operations until patching can be completed
bash
# Disable Bluetooth kernel module
echo "blacklist bluetooth" >> /etc/modprobe.d/bluetooth-disable.conf
echo "blacklist btusb" >> /etc/modprobe.d/bluetooth-disable.conf

# Unload the module if currently loaded
modprobe -r btusb bluetooth

# Verify Bluetooth is disabled
lsmod | grep bluetooth

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free
  • Vendor/TechLinux Kernel
  • SeverityHIGH
  • CVSS Score7.8
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-415
  • Technical References
  • NetApp Security Advisory NTAP-20230517-0004
  • Openwall OSS Security Discussion 2
  • Vendor Resources
  • Linux Kernel Mailing List Post
  • Openwall OSS Security Discussion 1
  • Related CVEs
  • CVE-2026-31414: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-31426: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-31427: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-31419: Linux Kernel Use-After-Free Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English