5.5

CVE-2026-23146

Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work

hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling
hci_uart_register_dev(), which calls proto->open() to initialize
hu->priv. However, if a TTY write wakeup occurs during this window,
hci_uart_tx_wakeup() may schedule write_work before hu->priv is
initialized, leading to a NULL pointer dereference in
hci_uart_write_work() when proto->dequeue() accesses hu->priv.

The race condition is:

  CPU0                              CPU1
  ----                              ----
  hci_uart_set_proto()
    set_bit(HCI_UART_PROTO_INIT)
    hci_uart_register_dev()
                                    tty write wakeup
                                      hci_uart_tty_wakeup()
                                        hci_uart_tx_wakeup()
                                          schedule_work(&hu->write_work)
      proto->open(hu)
        // initializes hu->priv
                                    hci_uart_write_work()
                                      hci_uart_dequeue()
                                        proto->dequeue(hu)
                                          // accesses hu->priv (NULL!)

Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()
succeeds, ensuring hu->priv is initialized before any work can be
scheduled.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.4.293 < 5.5
LinuxLinux Kernel Version >= 5.10.237 < 5.10.249
LinuxLinux Kernel Version >= 5.15.181 < 5.15.199
LinuxLinux Kernel Version >= 6.1.135 < 6.1.162
LinuxLinux Kernel Version >= 6.6.88 < 6.6.123
LinuxLinux Kernel Version >= 6.12.24 < 6.12.69
LinuxLinux Kernel Version >= 6.13.12 < 6.14
LinuxLinux Kernel Version >= 6.14.3 < 6.18.9
LinuxLinux Kernel Version6.19 Updaterc1
LinuxLinux Kernel Version6.19 Updaterc2
LinuxLinux Kernel Version6.19 Updaterc3
LinuxLinux Kernel Version6.19 Updaterc4
LinuxLinux Kernel Version6.19 Updaterc5
LinuxLinux Kernel Version6.19 Updaterc6
LinuxLinux Kernel Version6.19 Updaterc7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.024
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://git.kernel.org/stable/c/03e8c90c62233382042b7bd0fa8b8900552fdb62
Patch
https://git.kernel.org/stable/c/0c3cd7a0b862c37acbee6d9502107146cc944398
Patch
https://git.kernel.org/stable/c/186d147cf7689ba1f9b3ddb753ab634a84940cc9
Patch
https://git.kernel.org/stable/c/53e54cb31e667fca05b1808b990eac0807d1dab0
Patch
https://git.kernel.org/stable/c/937a573423ce5a96fdb1fd425dc6b8d8d4ab5779
Patch
https://git.kernel.org/stable/c/b0a900939e7e4866d9b90e9112514b72c451e873
Patch
https://git.kernel.org/stable/c/ccc683f597ceb28deb966427ae948e5ac739a909
Patch