Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
Summary
| CVE | CVE-2026-46275 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-08 16:16:40 UTC |
| Updated | 2026-07-08 14:46:18 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths Vulnerabilities leading to Use-After-Free (UAF) and Null Pointer Dereference (NPD) conditions were observed in the lifecycle management of hci_uart. The primary issue arises because the workqueues (init_ready and write_work) are only flushed/cancelled if the HCI_UART_PROTO_READY flag is set during TTY close. If a hangup occurs before setup completes, hci_uart_tty_close() skips the teardown of these workqueues and proceeds to free the `hu` struct. When the scheduled work executes later, it blindly dereferences the freed `hu` struct. Furthermore, several data races and UAFs were identified in the teardown sequence: 1. Calling hci_uart_flush() from hci_uart_close() without effectively disabling write_work causes a race condition where both can concurrently double-free hu->tx_skb. This happens because protocol timers can concurrently invoke hci_uart_tx_wakeup() and requeue write_work. 2. Calling hci_free_dev(hdev) before hu->proto->close(hu) causes a UAF when vendor specific protocol close callbacks dereference hu->hdev. 3. In the initialization error paths, failing to take the proto_lock write lock before clearing PROTO_READY leads to races with active readers. Additionally, hci_uart_tty_receive() accesses hu->hdev outside the read lock, leading to UAFs if the initialization error path frees hdev concurrently. Fix these synchronization and lifecycle issues by: 1. Re-ordering hci_uart_tty_close() to clear HCI_UART_PROTO_READY first, followed immediately by a cancel_work_sync(&hu->write_work). Clearing the flag locks out concurrent protocol timers from successfully invoking hci_uart_tx_wakeup(), effectively rendering the cancellation permanent and preventing the tx_skb double-free. 2. Note: Clearing PROTO_READY early causes hci_uart_close() to skip hu->proto->flush(). This is perfectly safe in the tty_close path because hu->proto->close() executes shortly after, which intrinsically purges all protocol SKB queues and tears down the state. 3. Relocating hu->proto->close(hu) strictly prior to hci_free_dev(hdev) across all close and error paths to prevent vendor-level UAFs. 4. Moving the hdev->stat.byte_rx increment in hci_uart_tty_receive() inside the proto_lock read-side critical section to safely synchronize with device unregistration. 5. Adding cancel_work_sync(&hu->write_work) to hci_uart_close() to safely flush the workqueue before hci_uart_flush() is invoked via the HCI core. 6. Utilizing cancel_work_sync() instead of disable_work_sync() across all paths to prevent permanently breaking user-space retry capabilities. |
Risk And Classification
Primary CVSS: v3.1 7.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.001850000 probability, percentile 0.083160000 (date 2026-07-09)
Problem Types: CWE-362
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | Secondary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 3b799254cf6f481460719023d7a18f46651e5e7f 78aad93e938f013d9272fe0ee168f27883afa95c git | Not specified |
| CNA | Linux | Linux | affected 3b799254cf6f481460719023d7a18f46651e5e7f e2d19969c8d9198ecc3090bcd5312ecd503a3339 git | Not specified |
| CNA | Linux | Linux | affected 3b799254cf6f481460719023d7a18f46651e5e7f c85cff648a2bc92322912db5f1727ad05afae7b6 git | Not specified |
| CNA | Linux | Linux | affected 3b799254cf6f481460719023d7a18f46651e5e7f 9d20d48be2c4a071fb015eb09bda2cecd25daf34 git | Not specified |
| CNA | Linux | Linux | affected 3b799254cf6f481460719023d7a18f46651e5e7f 81c7a3c22a0f2808cf4ae0b4908f59763b23606d git | Not specified |
| CNA | Linux | Linux | affected 3b799254cf6f481460719023d7a18f46651e5e7f 192cb0f1ca706d9a1bc36ae0ad5f666d1e4fd894 git | Not specified |
| CNA | Linux | Linux | affected 3b799254cf6f481460719023d7a18f46651e5e7f 7338031946bd06f6dff149e67b60c4cd083bfea8 git | Not specified |
| CNA | Linux | Linux | affected 3b799254cf6f481460719023d7a18f46651e5e7f c1bb9336ae6b54a5f6a353c4bd4ed9a4307e429b git | Not specified |
| CNA | Linux | Linux | affected cd27019bc149f20f12ebec943c2b4c775745a5a0 git | Not specified |
| CNA | Linux | Linux | affected aea63181b6fcb6b9ccde1ada9ea51be19c4015af git | Not specified |
| CNA | Linux | Linux | affected 0d234d1135dcd8876de0576dac68efd0a87eef87 git | Not specified |
| CNA | Linux | Linux | affected 3fe978892ab46efc2f3830d9abc015eff72caaf9 git | Not specified |
| CNA | Linux | Linux | affected 0d987e14bebaf0f67ee7dbefaf6165c62cd1d27f git | Not specified |
| CNA | Linux | Linux | affected 4.14.203 4.15 semver | Not specified |
| CNA | Linux | Linux | affected 4.19.153 4.20 semver | Not specified |
| CNA | Linux | Linux | affected 5.4.73 5.5 semver | Not specified |
| CNA | Linux | Linux | affected 5.8.17 5.9 semver | Not specified |
| CNA | Linux | Linux | affected 5.9.2 5.10 semver | Not specified |
| CNA | Linux | Linux | affected 5.10 | Not specified |
| CNA | Linux | Linux | unaffected 5.10 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.258 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.209 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.175 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.142 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.92 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.34 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.11 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/192cb0f1ca706d9a1bc36ae0ad5f666d1e4fd894 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/c85cff648a2bc92322912db5f1727ad05afae7b6 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/c1bb9336ae6b54a5f6a353c4bd4ed9a4307e429b | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/e2d19969c8d9198ecc3090bcd5312ecd503a3339 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/78aad93e938f013d9272fe0ee168f27883afa95c | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/81c7a3c22a0f2808cf4ae0b4908f59763b23606d | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/7338031946bd06f6dff149e67b60c4cd083bfea8 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/9d20d48be2c4a071fb015eb09bda2cecd25daf34 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.