Bluetooth: hci_uart: fix UAFs and race conditions in close and...

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths

Vulnerabilities leading to Use-After-Free (UAF) and Null Pointer
Dereference (NPD) conditions were observed in the lifecycle management
of hci_uart.

The primary issue arises because the workqueues (init_ready and
write_work) are only flushed/cancelled if the HCI_UART_PROTO_READY
flag is set during TTY close. If a hangup occurs before setup completes,
hci_uart_tty_close() skips the teardown of these workqueues and
proceeds to free the `hu` struct. When the scheduled work executes
later, it blindly dereferences the freed `hu` struct.

Furthermore, several data races and UAFs were identified in the teardown
sequence:
1. Calling hci_uart_flush() from hci_uart_close() without effectively
disabling write_work causes a race condition where both can concurrently
double-free hu->tx_skb. This happens because protocol timers can
concurrently invoke hci_uart_tx_wakeup() and requeue write_work.
2. Calling hci_free_dev(hdev) before hu->proto->close(hu) causes a UAF
when vendor specific protocol close callbacks dereference hu->hdev.
3. In the initialization error paths, failing to take the proto_lock
write lock before clearing PROTO_READY leads to races with active
readers. Additionally, hci_uart_tty_receive() accesses hu->hdev
outside the read lock, leading to UAFs if the initialization error
path frees hdev concurrently.

Fix these synchronization and lifecycle issues by:
1. Re-ordering hci_uart_tty_close() to clear HCI_UART_PROTO_READY first,
followed immediately by a cancel_work_sync(&hu->write_work). Clearing
the flag locks out concurrent protocol timers from successfully invoking
hci_uart_tx_wakeup(), effectively rendering the cancellation permanent
and preventing the tx_skb double-free.
2. Note: Clearing PROTO_READY early causes hci_uart_close() to skip
hu->proto->flush(). This is perfectly safe in the tty_close path
because hu->proto->close() executes shortly after, which intrinsically
purges all protocol SKB queues and tears down the state.
3. Relocating hu->proto->close(hu) strictly prior to hci_free_dev(hdev)
across all close and error paths to prevent vendor-level UAFs.
4. Moving the hdev->stat.byte_rx increment in hci_uart_tty_receive()
inside the proto_lock read-side critical section to safely synchronize
with device unregistration.
5. Adding cancel_work_sync(&hu->write_work) to hci_uart_close() to safely
flush the workqueue before hci_uart_flush() is invoked via the HCI core.
6. Utilizing cancel_work_sync() instead of disable_work_sync() across
all paths to prevent permanently breaking user-space retry capabilities.

Basic Information

ID CVE-2026-46275

Source Linux

Published Jun 8, 2026 at 14:30

Modified Jun 14, 2026 at 04:29

Affected Product

Vendor Linux

Product Linux

Version 3b799254cf6f481460719023d7a18f46651e5e7f

Affected Versions Linux Linux 3b799254cf6f481460719023d7a18f46651e5e7f
Linux Linux 3b799254cf6f481460719023d7a18f46651e5e7f
Linux Linux 3b799254cf6f481460719023d7a18f46651e5e7f
Linux Linux 3b799254cf6f481460719023d7a18f46651e5e7f
Linux Linux 3b799254cf6f481460719023d7a18f46651e5e7f
Linux Linux 3b799254cf6f481460719023d7a18f46651e5e7f
Linux Linux 3b799254cf6f481460719023d7a18f46651e5e7f
Linux Linux 3b799254cf6f481460719023d7a18f46651e5e7f
Linux Linux cd27019bc149f20f12ebec943c2b4c775745a5a0
Linux Linux aea63181b6fcb6b9ccde1ada9ea51be19c4015af
Linux Linux 0d234d1135dcd8876de0576dac68efd0a87eef87
Linux Linux 3fe978892ab46efc2f3830d9abc015eff72caaf9
Linux Linux 0d987e14bebaf0f67ee7dbefaf6165c62cd1d27f
Linux Linux 4.14.203
Linux Linux 4.19.153
Linux Linux 5.4.73
Linux Linux 5.8.17
Linux Linux 5.9.2
Linux Linux 5.10

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: fix UAFs and race conditions in close and init paths\n\nVulnerabilities leading to Use-After-Free (UAF) and Null Pointer\nDereference (NPD) conditions were observed in the lifecycle management\nof hci_uart.\n\nThe primary issue arises because the workqueues (init_ready and\nwrite_work) are only flushed/cancelled if the HCI_UART_PROTO_READY\nflag is set during TTY close. If a hangup occurs before setup completes,\nhci_uart_tty_close() skips the teardown of these workqueues and\nproceeds to free the `hu` struct. When the scheduled work executes\nlater, it blindly dereferences the freed `hu` struct.\n\nFurthermore, several data races and UAFs were identified in the teardown\nsequence:\n1. Calling hci_uart_flush() from hci_uart_close() without effectively\n   disabling write_work causes a race condition where both can concurrently\n   double-free hu->tx_skb. This happens because protocol timers can\n   concurrently invoke hci_uart_tx_wakeup() and requeue write_work.\n2. Calling hci_free_dev(hdev) before hu->proto->close(hu) causes a UAF\n   when vendor specific protocol close callbacks dereference hu->hdev.\n3. In the initialization error paths, failing to take the proto_lock\n   write lock before clearing PROTO_READY leads to races with active\n   readers. Additionally, hci_uart_tty_receive() accesses hu->hdev\n   outside the read lock, leading to UAFs if the initialization error\n   path frees hdev concurrently.\n\nFix these synchronization and lifecycle issues by:\n1. Re-ordering hci_uart_tty_close() to clear HCI_UART_PROTO_READY first,\n   followed immediately by a cancel_work_sync(&hu->write_work). Clearing\n   the flag locks out concurrent protocol timers from successfully invoking\n   hci_uart_tx_wakeup(), effectively rendering the cancellation permanent\n   and preventing the tx_skb double-free.\n2. Note: Clearing PROTO_READY early causes hci_uart_close() to skip\n   hu->proto->flush(). This is perfectly safe in the tty_close path\n   because hu->proto->close() executes shortly after, which intrinsically\n   purges all protocol SKB queues and tears down the state.\n3. Relocating hu->proto->close(hu) strictly prior to hci_free_dev(hdev)\n   across all close and error paths to prevent vendor-level UAFs.\n4. Moving the hdev->stat.byte_rx increment in hci_uart_tty_receive()\n   inside the proto_lock read-side critical section to safely synchronize\n   with device unregistration.\n5. Adding cancel_work_sync(&hu->write_work) to hci_uart_close() to safely\n   flush the workqueue before hci_uart_flush() is invoked via the HCI core.\n6. Utilizing cancel_work_sync() instead of disable_work_sync() across\n   all paths to prevent permanently breaking user-space retry capabilities.",
    "published": "2026-06-08T14:30:54.232Z",
    "modified": "2026-06-14T04:29:56.520Z",
    "type": "cve",
    "title": "Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/78aad93e938f013d9272fe0ee168f27883afa95c\nhttps://git.kernel.org/stable/c/e2d19969c8d9198ecc3090bcd5312ecd503a3339\nhttps://git.kernel.org/stable/c/c85cff648a2bc92322912db5f1727ad05afae7b6\nhttps://git.kernel.org/stable/c/9d20d48be2c4a071fb015eb09bda2cecd25daf34\nhttps://git.kernel.org/stable/c/81c7a3c22a0f2808cf4ae0b4908f59763b23606d\nhttps://git.kernel.org/stable/c/192cb0f1ca706d9a1bc36ae0ad5f666d1e4fd894\nhttps://git.kernel.org/stable/c/7338031946bd06f6dff149e67b60c4cd083bfea8\nhttps://git.kernel.org/stable/c/c1bb9336ae6b54a5f6a353c4bd4ed9a4307e429b",
    "id": "CVE-2026-46275",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 3b799254cf6f481460719023d7a18f46651e5e7f\nLinux Linux 3b799254cf6f481460719023d7a18f46651e5e7f\nLinux Linux 3b799254cf6f481460719023d7a18f46651e5e7f\nLinux Linux 3b799254cf6f481460719023d7a18f46651e5e7f\nLinux Linux 3b799254cf6f481460719023d7a18f46651e5e7f\nLinux Linux 3b799254cf6f481460719023d7a18f46651e5e7f\nLinux Linux 3b799254cf6f481460719023d7a18f46651e5e7f\nLinux Linux 3b799254cf6f481460719023d7a18f46651e5e7f\nLinux Linux cd27019bc149f20f12ebec943c2b4c775745a5a0\nLinux Linux aea63181b6fcb6b9ccde1ada9ea51be19c4015af\nLinux Linux 0d234d1135dcd8876de0576dac68efd0a87eef87\nLinux Linux 3fe978892ab46efc2f3830d9abc015eff72caaf9\nLinux Linux 0d987e14bebaf0f67ee7dbefaf6165c62cd1d27f\nLinux Linux 4.14.203\nLinux Linux 4.19.153\nLinux Linux 5.4.73\nLinux Linux 5.8.17\nLinux Linux 5.9.2\nLinux Linux 5.10",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "3b799254cf6f481460719023d7a18f46651e5e7f",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths_CVE-2026-46275

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply