CVE-2024-36011 - Exploiting and Understanding the Linux Kernel Bluetooth Null Pointer Dereference
In mid-2024, a new vulnerability — CVE-2024-36011 — was discovered and patched in the Linux kernel. This issue centers on the Bluetooth subsystem, specifically the "Host Controller Interface" (HCI) layer used for Bluetooth communications. Put simply, a potential null pointer dereference could happen during handling of certain Bluetooth events. In this article, we'll break down what CVE-2024-36011 is, how it was fixed, and what it could mean for system security. We'll also show the code involved, demonstrate a simplified version of how it could be abused, and provide further reading.
What is CVE-2024-36011?
This vulnerability is found in the Linux kernel's Bluetooth stack, in the function hci_le_big_sync_established_evt(). If certain Bluetooth events are triggered, the function might try to use a pointer that hasn't been set—in other words, it's NULL. This can cause the kernel to crash (kernel panic), potentially leading to a denial of service (DoS). In rare cases and specific setups, this kind of bug *could* be improved into something more serious.
The bug was fixed on June 11, 2024, and the patch is now included in newer Linux kernels.
The Vulnerable Code
Let’s break down the main part of the code that caused trouble. Here’s a simplified version of the faulty function, before the patch:
static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data)
{
struct hci_conn *conn;
conn = hci_conn_hash_lookup_le(hdev, /* params */);
/* ... */
conn->some_member = /* something */; // Potential null-ptr deref!
}
The core problem is that hci_conn_hash_lookup_le() might not find a connection, which makes conn == NULL. If the code then tries to access conn->some_member, it crashes the system.
The Fix
The patch simply checks if conn is NULL before using it. Here’s what that code looks like after the fix:
if (!conn)
return;
conn->some_member = /* something */;
So, with this basic check, the kernel avoids using a NULL pointer, stopping the crash.
Who is affected?
- Any system running an affected Linux kernel, with Bluetooth support enabled, could potentially be impacted.
What could an attacker do?
Usually, this type of bug is good for a Denial of Service (DoS) attack: forcing the system to crash by triggering the flaw remotely (through Bluetooth).
Be within Bluetooth range of a target system;
2. Use a Bluetooth device or a tool like bluetoothctl, or a custom script, to send a specially crafted LE BIG (Broadcast Isochronous Group) Sync Established Event;
Pseudocode example for potential exploitation
# This is a high-level illustration, not working code!
send_bluetooth_event(
event_type = LE_BIG_SYNC_ESTABLISHED,
connection_id = INVALID_ID # triggers NULL return in lookup
)
In the real world, creating such a crafted Bluetooth packet requires advanced knowledge and tools, but conceptually, this is what would happen.
For servers, headless devices, and industrial systems using Bluetooth, this could lead to outages.
Mitigation:
Upgrade your Linux kernel to a version that includes the patch (June 2024 or later). If you don’t use Bluetooth, disable it as a best security practice.
Links and References
- CVE Record - CVE-2024-36011
- Linux Kernel Patch Commit (June 11, 2024)
- Bluetooth LE BIGs Explained
Conclusion
CVE-2024-36011 is a reminder that even minor oversights in kernel code can have real-world security impacts. Null pointer dereferences are often overlooked, but in systems as complex as Linux, they can be dangerous. Always keep your systems updated, and stay informed of recent CVEs.
If you want to dive deeper, read the official Linux kernel commit linked above. And if your devices don’t absolutely need Bluetooth, consider disabling it — it’s one less avenue for attack!
*Written for system admins, developers, and security professionals wanting a plain-English, hands-on look at this new Bluetooth kernel bug.*
Timeline
Published on: 05/23/2024 07:15:08 UTC
Last modified on: 01/06/2025 22:34:51 UTC