CVE-2026-23146

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling hci_uart_register_dev(), which calls proto->open() to initialize hu->priv. However, if a TTY write wakeup occurs during this window, hci_uart_tx_wakeup() may schedule write_work before hu->priv is initialized, leading to a NULL pointer dereference in hci_uart_write_work() when proto->dequeue() accesses hu->priv. The race condition is: CPU0 CPU1 ---- ---- hci_uart_set_proto() set_bit(HCI_UART_PROTO_INIT) hci_uart_register_dev() tty write wakeup hci_uart_tty_wakeup() hci_uart_tx_wakeup() schedule_work(&hu->write_work) proto->open(hu) // initializes hu->priv hci_uart_write_work() hci_uart_dequeue() proto->dequeue(hu) // accesses hu->priv (NULL!) Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open() succeeds, ensuring hu->priv is initialized before any work can be scheduled.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/03e8c90c62233382042b7bd0fa8b8900552fdb62	Patch
https://git.kernel.org/stable/c/0c3cd7a0b862c37acbee6d9502107146cc944398	Patch
https://git.kernel.org/stable/c/186d147cf7689ba1f9b3ddb753ab634a84940cc9	Patch
https://git.kernel.org/stable/c/53e54cb31e667fca05b1808b990eac0807d1dab0	Patch
https://git.kernel.org/stable/c/937a573423ce5a96fdb1fd425dc6b8d8d4ab5779	Patch
https://git.kernel.org/stable/c/b0a900939e7e4866d9b90e9112514b72c451e873	Patch
https://git.kernel.org/stable/c/ccc683f597ceb28deb966427ae948e5ac739a909	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::

History

17 Mar 2026, 21:13

Type	Values Removed	Values Added
CPE		cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
First Time		Linux Linux linux Kernel
CWE		CWE-476
References	~~() https://git.kernel.org/stable/c/03e8c90c62233382042b7bd0fa8b8900552fdb62 -~~	() https://git.kernel.org/stable/c/03e8c90c62233382042b7bd0fa8b8900552fdb62 - Patch
References	~~() https://git.kernel.org/stable/c/0c3cd7a0b862c37acbee6d9502107146cc944398 -~~	() https://git.kernel.org/stable/c/0c3cd7a0b862c37acbee6d9502107146cc944398 - Patch
References	~~() https://git.kernel.org/stable/c/186d147cf7689ba1f9b3ddb753ab634a84940cc9 -~~	() https://git.kernel.org/stable/c/186d147cf7689ba1f9b3ddb753ab634a84940cc9 - Patch
References	~~() https://git.kernel.org/stable/c/53e54cb31e667fca05b1808b990eac0807d1dab0 -~~	() https://git.kernel.org/stable/c/53e54cb31e667fca05b1808b990eac0807d1dab0 - Patch
References	~~() https://git.kernel.org/stable/c/937a573423ce5a96fdb1fd425dc6b8d8d4ab5779 -~~	() https://git.kernel.org/stable/c/937a573423ce5a96fdb1fd425dc6b8d8d4ab5779 - Patch
References	~~() https://git.kernel.org/stable/c/b0a900939e7e4866d9b90e9112514b72c451e873 -~~	() https://git.kernel.org/stable/c/b0a900939e7e4866d9b90e9112514b72c451e873 - Patch
References	~~() https://git.kernel.org/stable/c/ccc683f597ceb28deb966427ae948e5ac739a909 -~~	() https://git.kernel.org/stable/c/ccc683f597ceb28deb966427ae948e5ac739a909 - Patch

18 Feb 2026, 17:52

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: Bluetooth: hci_uart: corrección de desreferencia de puntero nulo en hci_uart_write_work hci_uart_set_proto() establece HCI_UART_PROTO_INIT antes de llamar a hci_uart_register_dev(), que llama a proto->open() para inicializar hu->priv. Sin embargo, si una activación de escritura TTY ocurre durante esta ventana, hci_uart_tx_wakeup() puede programar write_work antes de que hu->priv sea inicializado, lo que lleva a una desreferencia de puntero NULL en hci_uart_write_work() cuando proto->dequeue() accede a hu->priv. La condición de carrera es: CPU0 CPU1 ---- ---- hci_uart_set_proto() set_bit(HCI_UART_PROTO_INIT) hci_uart_register_dev() activación de escritura tty hci_uart_tty_wakeup() hci_uart_tx_wakeup() schedule_work(&hu->write_work) proto->open(hu) // inicializa hu->priv hci_uart_write_work() hci_uart_dequeue() proto->dequeue(hu) // accede a hu->priv (¡NULL!) Esto se soluciona moviendo set_bit(HCI_UART_PROTO_INIT) después de que proto->open() se complete con éxito, asegurando que hu->priv esté inicializado antes de que se pueda programar cualquier trabajo.

14 Feb 2026, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-14 16:15

Updated : 2026-03-17 21:13

NVD link : CVE-2026-23146

Mitre link : CVE-2026-23146

CVE.ORG link : CVE-2026-23146

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-476

NULL Pointer Dereference

5.5 /10