CVE-2026-23146

Summary

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work

hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling hci_uart_register_dev(), which calls proto->open() to initialize hu->priv. However, if a TTY write wakeup occurs during this window, hci_uart_tx_wakeup() may schedule write_work before hu->priv is initialized, leading to a NULL pointer dereference in hci_uart_write_work() when proto->dequeue() accesses hu->priv.

The race condition is:

CPU0 CPU1


hci_uart_set_proto() set_bit(HCI_UART_PROTO_INIT) hci_uart_register_dev() tty write wakeup hci_uart_tty_wakeup() hci_uart_tx_wakeup() schedule_work(&hu->write_work) proto->open(hu) // initializes hu->priv hci_uart_write_work() hci_uart_dequeue() proto->dequeue(hu) // accesses hu->priv (NULL!)

Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open() succeeds, ensuring hu->priv is initialized before any work can be scheduled.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxa40f94f7caa8d3421b64f63ac31bc0f24c890f39 < b0a900939e7e4866d9b90e9112514b72c451e873affected
LinuxLinux9e5a0f5777162e503400c70c6ed25fbbe2d38799 < ccc683f597ceb28deb966427ae948e5ac739a909affected
LinuxLinux80f14e9de6a43a0bd8194cad1003a3e6dcbc3984 < 937a573423ce5a96fdb1fd425dc6b8d8d4ab5779affected
LinuxLinux02e1bcdfdf769974e7e9fa285e295cd9852e2a38 < 186d147cf7689ba1f9b3ddb753ab634a84940cc9affected
LinuxLinux281782d2c6730241e300d630bb9f200d831ede71 < 53e54cb31e667fca05b1808b990eac0807d1dab0affected
LinuxLinux5df5dafc171b90d0b8d51547a82657cd5a1986c7 < 03e8c90c62233382042b7bd0fa8b8900552fdb62affected
LinuxLinux5df5dafc171b90d0b8d51547a82657cd5a1986c7 < 0c3cd7a0b862c37acbee6d9502107146cc944398affected
LinuxLinux1dcf08fcff5ca529de6dc0395091f28854f4e54aaffected
LinuxLinux8e5aff600539e5faea294d9612cca50220e602b8affected
LinuxLinuxdb7509fa110dd9b11134b75894677f30353b2c51affected
LinuxLinux5.10.237 < 5.10.249affected
LinuxLinux5.15.181 < 5.15.199affected
LinuxLinux6.1.135 < 6.1.162affected
LinuxLinux6.6.88 < 6.6.123affected
LinuxLinux6.12.24 < 6.12.69affected
LinuxLinux5.4.293 < 5.5affected
LinuxLinux6.13.12 < 6.14affected
LinuxLinux6.14.3 < 6.15affected
LinuxLinux6.15affected
LinuxLinux0 < 6.15unaffected
LinuxLinux5.10.249 <= 5.10.*unaffected
LinuxLinux5.15.199 <= 5.15.*unaffected
LinuxLinux6.1.162 <= 6.1.*unaffected
LinuxLinux6.6.123 <= 6.6.*unaffected
LinuxLinux6.12.69 <= 6.12.*unaffected
LinuxLinux6.18.9 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References