PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-22099 Linux CVE debrief

CVE-2024-22099 describes a NULL pointer dereference in the Linux kernel Bluetooth RFCOMM path, specifically in net/bluetooth/rfcomm/core.C. The supplied record assigns CVSS 3.1 6.3 (MEDIUM) with network attack vector, low privileges required, no user interaction, and high availability impact. The source record was published on 2024-01-25 and later modified on 2026-05-12; the modification date should not be treated as the issue date.

Vendor
Linux
Product
CVE-2024-22099
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2024-01-25
Original CVE updated
2026-05-12
Advisory published
2024-01-25
Advisory updated
2026-05-12

Who should care

Linux distribution security teams, kernel maintainers, fleet operators running affected Linux kernel builds, and environments that enable Bluetooth or depend on the RFCOMM stack. Systems with multi-user access or broad kernel package deployment should pay particular attention because the issue can be reached with low privileges and affects availability.

Technical summary

The source corpus identifies CWE-476 (NULL Pointer Dereference) in the Linux kernel Bluetooth RFCOMM code path. NVD maps the issue to cpe:2.3:o:linux:linux_kernel:2.6.12:rc2 and reports CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H. The supplied material does not provide deeper root-cause detail beyond the affected file path and the Bluetooth/net module context, so no further implementation specifics should be inferred.

Defensive priority

Medium priority. The score is moderate, but the availability impact is high and the attack requires only low privileges. Prioritize systems that actually ship the affected kernel code path or receive backported fixes through vendor kernels.

Recommended defensive actions

  • Apply the vendor or distribution kernel update that addresses CVE-2024-22099 as cited in your Linux, Debian, Fedora, or Siemens advisory stream.
  • Verify whether any deployed kernels backport the fix even if the version string differs from upstream 2.6.12-rc2.
  • Review whether Bluetooth is required on affected hosts; disable or restrict Bluetooth services where business needs allow.
  • Limit low-privilege access on systems that expose the affected kernel path, since the CVSS vector includes PR:L.
  • Track fleet exposure using package and kernel inventory rather than version strings alone, because distro backports may change the vulnerable/fixed status.

Evidence notes

This debrief is based only on the supplied NVD-derived record and the linked official references. The record states a Linux kernel Bluetooth RFCOMM NULL pointer dereference, CWE-476, CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H, and an affected CPE for linux_kernel 2.6.12-rc2. The corpus also includes official advisory references from CVE.org, NVD, Debian LTS, Fedora package announcements, Siemens ProductCERT, and an OpenAnolis bug tracker entry, but no additional exploitability details are asserted here.

Official resources

Publicly disclosed in the CVE record on 2024-01-25T07:15:08.697Z. The NVD record was later modified on 2026-05-12T12:16:17.203Z. The supplied enrichment does not mark this CVE as KEV.