CVE-2026-23146
Unknown Unknown - Not Provided
Null Pointer Dereference in Linux Bluetooth hci_uart Component

Publication date: 2026-02-14

Last updated on: 2026-03-17

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling hci_uart_register_dev(), which calls proto->open() to initialize hu->priv. However, if a TTY write wakeup occurs during this window, hci_uart_tx_wakeup() may schedule write_work before hu->priv is initialized, leading to a NULL pointer dereference in hci_uart_write_work() when proto->dequeue() accesses hu->priv. The race condition is: CPU0 CPU1 ---- ---- hci_uart_set_proto() set_bit(HCI_UART_PROTO_INIT) hci_uart_register_dev() tty write wakeup hci_uart_tty_wakeup() hci_uart_tx_wakeup() schedule_work(&hu->write_work) proto->open(hu) // initializes hu->priv hci_uart_write_work() hci_uart_dequeue() proto->dequeue(hu) // accesses hu->priv (NULL!) Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open() succeeds, ensuring hu->priv is initialized before any work can be scheduled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23146
EUVD
EUVD-2026-5891
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13.12 (inc) to 6.14 (exc)
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 5.10.237 (inc) to 5.10.249 (exc)
linux linux_kernel From 5.15.181 (inc) to 5.15.199 (exc)
linux linux_kernel From 5.4.293 (inc) to 5.5 (exc)
linux linux_kernel From 6.1.135 (inc) to 6.1.162 (exc)
linux linux_kernel From 6.12.24 (inc) to 6.12.69 (exc)
linux linux_kernel From 6.14.3 (inc) to 6.18.9 (exc)
linux linux_kernel From 6.6.88 (inc) to 6.6.123 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth hci_uart driver. It is caused by a race condition during the initialization of a protocol in the hci_uart driver. Specifically, the function hci_uart_set_proto() sets a flag (HCI_UART_PROTO_INIT) before the protocol's open() function has completed initializing a private data structure (hu->priv). If a TTY write wakeup occurs during this window, a work function (hci_uart_write_work) may be scheduled that tries to access hu->priv before it is initialized, leading to a NULL pointer dereference.

The root cause is that the flag indicating initialization is set too early, allowing other code to run that assumes initialization is complete when it is not. The fix involves moving the setting of this flag until after the protocol's open() function successfully initializes hu->priv, preventing the NULL pointer dereference.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Bluetooth hci_uart driver, which typically results in a kernel crash or system instability. Such a crash can lead to denial of service (DoS) conditions where the affected system becomes unresponsive or requires a reboot.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed by ensuring that the initialization of hu->priv is completed before any work is scheduled. Specifically, the fix involves moving the set_bit(HCI_UART_PROTO_INIT) call to after proto->open() succeeds.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23146. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart