CVE-2022-50339
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-16

Last updated on: 2025-12-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev() syzbot is again reporting attempt to cancel uninitialized work at mgmt_index_removed() [1], for setting of HCI_MGMT flag from mgmt_init_hdev() from hci_mgmt_cmd() from hci_sock_sendmsg() can race with testing of HCI_MGMT flag from mgmt_index_removed() from hci_sock_bind() due to lack of serialization via hci_dev_lock(). Since mgmt_init_hdev() is called with mgmt_chan_list_lock held, we can safely split hci_dev_test_and_set_flag() into hci_dev_test_flag() and hci_dev_set_flag(). Thus, in order to close this race, set HCI_MGMT flag after INIT_DELAYED_WORK() completed. This is a local fix based on mgmt_chan_list_lock. Lack of serialization via hci_dev_lock() might be causing different race conditions somewhere else. But a global fix based on hci_dev_lock() should deserve a future patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-16
Last Modified
2025-12-01
Generated
2026-06-16
AI Q&A
2025-09-16
EPSS Evaluated
2026-06-14
NVD
CVE-2022-50339
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 6.0 (inc) to 6.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel's Bluetooth subsystem involves a race condition due to improper serialization when setting and testing the HCI_MGMT flag. Specifically, the function hci_dev_test_and_set_flag() is used in mgmt_init_hdev() without proper locking, which can race with the testing of the same flag in mgmt_index_removed(). This race condition can lead to attempts to cancel uninitialized work, causing instability. The fix involves splitting the flag test and set operations and ensuring the flag is set only after certain initialization work is completed, using the mgmt_chan_list_lock to serialize access.

Impact Analysis

This vulnerability can cause race conditions in the Bluetooth management code of the Linux kernel, potentially leading to attempts to cancel uninitialized work. This may result in system instability or unexpected behavior in Bluetooth functionality, which could affect the reliability of Bluetooth operations on affected systems.

Mitigation Strategies

Apply the patch that fixes the race condition by ensuring the HCI_MGMT flag is set only after INIT_DELAYED_WORK() has completed, as described in the fix. This involves updating the Linux kernel to a version that includes this fix, which serializes access properly using mgmt_chan_list_lock to avoid the race condition.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50339. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart