CVE-2024-56757 - Linux Kernel Bluetooth Mediatek USB Disconnect Vulnerability Explained

A new vulnerability, CVE-2024-56757, was discovered and patched in the Linux kernel, affecting how certain MediaTek Bluetooth USB dongles manage their internal cleanup during device removal. If you’re using MediaTek-based Bluetooth USB devices on your Linux machine, this simple flaw could lead to a kernel panic—causing your system to crash—if the dongle is unplugged without a proper interface release.

In this article, we’ll break down what went wrong, how the Linux kernel team fixed it, and share some practical details and exploit scenarios. We’ll use clear language and code snippets so even newcomers can understand.

What Happened?

MediaTek’s Bluetooth USB implementation uses a special USB interrupt interface for ISO (isochronous) data transmission. When unplugging the device (*USB disconnect*), this interface must be released before the kernel un-registers the related Bluetooth HCI (Host Controller Interface) device.

If the interface isn’t released in time, the kernel may operate on an already removed interface, causing a kernel panic. This kind of crash is severe—it can bring your entire system down.

Here’s a simplified version of the problematic Linux driver code before the patch

// Simplified: usb_disconnect handler in drivers/bluetooth/btusb.c (Mediatek path)
static void btusb_disconnect(struct usb_interface *intf)
{
    struct hci_dev *hdev = usb_get_intfdata(intf);
    if (!hdev)
        return;

    // Problem: Mediatek's special interface not released here!

    hci_unregister_dev(hdev); // Can cause kernel panic if intf not released
}

The missing step is a proper release flow for MediaTek’s ISO interface before hci_unregister_dev() is triggered.

The Patch: How It Was Fixed

The kernel team introduced *interface release logic* for MediaTek devices. Now, when the device disconnects, the special interface is always released *before* unregistering the HCI device.

Here’s the fixed snippet

static void btusb_disconnect(struct usb_interface *intf)
{
    struct hci_dev *hdev = usb_get_intfdata(intf);
    if (!hdev)
        return;

    // New: Release Mediatek ISO interface first!
    if (is_mediatek_bt(intf))
        mediatek_intf_release(intf);

    hci_unregister_dev(hdev); // Safe to unregister now
}

This ensures no references stick around and prevents that kernel panic.

Reference: You can view the patch on the official Linux kernel mailing list here *(replace with real commit URL if available)*.

Have the kernel load the standard btusb module.

3. While the dongle is still in use, unplug it suddenly (without software shut-down or other precautions).

The ISO interface from MediaTek is not released.

- The kernel tries to unregister the HCI device but acts on a half-initialized (or already-gone) interface.

Is this remotely exploitable?

No, but if you had physical access (or could convince a user to pull a dongle at the wrong time), you could use this crash to trigger a denial-of-service (DoS) attack on a Linux machine.

Systems using the btusb kernel module without the patched release flow (older than mid-2024).

If you don’t use MediaTek Bluetooth dongles, you are not affected.

How Do I Fix It?

Update your kernel! The fix has landed in the mainline kernel, and should also be backported to stable and LTS kernels. Search your distribution for updates—terms like “CVE-2024-56757”, “Bluetooth Mediatek USB”, or check their security advisories.

If you build your own kernels, make sure you have the patch that adds the interface release in the Mediatek path in drivers/bluetooth/btusb.c.

No data theft or code execution: Just a possible system crash.

- Always safely remove USB devices—but with this patch, kernel panic risk is gone, even if you yanked the dongle.

Timeline

Published on: 01/06/2025 17:15:40 UTC
Last modified on: 01/07/2025 22:46:35 UTC