Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling
hci_uart_register_dev(), which calls proto->open() to initialize
hu->priv. However, if a TTY write wakeup occurs during this window,
hci_uart_tx_wakeup() may schedule write_work before hu->priv is
initialized, leading to a NULL pointer dereference in
hci_uart_write_work() when proto->dequeue() accesses hu->priv.
The race condition is:
CPU0 CPU1
---- ----
hci_uart_set_proto()
set_bit(HCI_UART_PROTO_INIT)
hci_uart_register_dev()
tty write wakeup
hci_uart_tty_wakeup()
hci_uart_tx_wakeup()
schedule_work(&hu->write_work)
proto->open(hu)
// initializes hu->priv
hci_uart_write_work()
hci_uart_dequeue()
proto->dequeue(hu)
// accesses hu->priv (NULL!)
Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()
succeeds, ensuring hu->priv is initialized before any work can be
scheduled.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Ubuntu USN |
USN-8162-1 | Linux kernel (NVIDIA Tegra) vulnerabilities |
Ubuntu USN |
USN-8180-1 | Linux kernel vulnerabilities |
Ubuntu USN |
USN-8180-2 | Linux kernel (FIPS) vulnerabilities |
Ubuntu USN |
USN-8186-1 | Linux kernel (Real-time) vulnerabilities |
Ubuntu USN |
USN-8187-1 | Linux kernel (NVIDIA) vulnerabilities |
Ubuntu USN |
USN-8188-1 | Linux kernel (HWE) vulnerabilities |
Ubuntu USN |
USN-8180-3 | Linux kernel vulnerabilities |
Ubuntu USN |
USN-8180-4 | Linux kernel (Azure FIPS) vulnerabilities |
Ubuntu USN |
USN-8180-5 | Linux kernel (IBM) vulnerabilities |
Ubuntu USN |
USN-8243-1 | Linux kernel (Azure) vulnerabilities |
Ubuntu USN |
USN-8180-6 | Linux kernel (Raspberry Pi) vulnerabilities |
Ubuntu USN |
USN-8275-1 | Linux kernel (Xilinx ZynqMP) vulnerabilities |
Ubuntu USN |
USN-8278-1 | Linux kernel vulnerabilities |
Ubuntu USN |
USN-8289-1 | Linux kernel (NVIDIA) vulnerabilities |
Ubuntu USN |
USN-8296-1 | Linux kernel (FIPS) vulnerabilities |
Ubuntu USN |
USN-8297-1 | Linux kernel (GCP) vulnerabilities |
Ubuntu USN |
USN-8296-2 | Linux kernel (NVIDIA Tegra) vulnerabilities |
Ubuntu USN |
USN-8278-2 | Linux kernel (Azure) vulnerabilities |
Ubuntu USN |
USN-8440-1 | Linux kernel (Azure) vulnerabilities |
Thu, 11 Jun 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 17 Mar 2026 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-476 | |
| CPEs | cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:* |
|
| Metrics |
cvssV3_1
|
cvssV3_1
|
Tue, 17 Feb 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Sat, 14 Feb 2026 16:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling hci_uart_register_dev(), which calls proto->open() to initialize hu->priv. However, if a TTY write wakeup occurs during this window, hci_uart_tx_wakeup() may schedule write_work before hu->priv is initialized, leading to a NULL pointer dereference in hci_uart_write_work() when proto->dequeue() accesses hu->priv. The race condition is: CPU0 CPU1 ---- ---- hci_uart_set_proto() set_bit(HCI_UART_PROTO_INIT) hci_uart_register_dev() tty write wakeup hci_uart_tty_wakeup() hci_uart_tx_wakeup() schedule_work(&hu->write_work) proto->open(hu) // initializes hu->priv hci_uart_write_work() hci_uart_dequeue() proto->dequeue(hu) // accesses hu->priv (NULL!) Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open() succeeds, ensuring hu->priv is initialized before any work can be scheduled. | |
| Title | Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work | |
| First Time appeared |
Linux
Linux linux Kernel |
|
| CPEs | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Linux
Linux linux Kernel |
|
| References |
|
|
Status: PUBLISHED
Assigner: Linux
Published:
Updated: 2026-06-11T18:44:17.179Z
Reserved: 2026-01-13T15:37:45.974Z
Link: CVE-2026-23146
Updated: 2026-06-11T17:38:49.920Z
Status : Analyzed
Published: 2026-02-14T16:15:54.703
Modified: 2026-06-17T10:20:59.047
Link: CVE-2026-23146
OpenCVE Enrichment
Updated: 2026-04-17T19:45:25Z
Ubuntu USN