CVE-2026-23146
Null Pointer Dereference in Linux Bluetooth hci_uart Component
Publication date: 2026-02-14
Last updated on: 2026-03-17
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 6.13.12 (inc) to 6.14 (exc) |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 5.10.237 (inc) to 5.10.249 (exc) |
| linux | linux_kernel | From 5.15.181 (inc) to 5.15.199 (exc) |
| linux | linux_kernel | From 5.4.293 (inc) to 5.5 (exc) |
| linux | linux_kernel | From 6.1.135 (inc) to 6.1.162 (exc) |
| linux | linux_kernel | From 6.12.24 (inc) to 6.12.69 (exc) |
| linux | linux_kernel | From 6.14.3 (inc) to 6.18.9 (exc) |
| linux | linux_kernel | From 6.6.88 (inc) to 6.6.123 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's Bluetooth hci_uart driver. It is caused by a race condition during the initialization of a protocol in the hci_uart driver. Specifically, the function hci_uart_set_proto() sets a flag (HCI_UART_PROTO_INIT) before the protocol's open() function has completed initializing a private data structure (hu->priv). If a TTY write wakeup occurs during this window, a work function (hci_uart_write_work) may be scheduled that tries to access hu->priv before it is initialized, leading to a NULL pointer dereference.
The root cause is that the flag indicating initialization is set too early, allowing other code to run that assumes initialization is complete when it is not. The fix involves moving the setting of this flag until after the protocol's open() function successfully initializes hu->priv, preventing the NULL pointer dereference.
How can this vulnerability impact me? :
This vulnerability can cause a NULL pointer dereference in the Bluetooth hci_uart driver, which typically results in a kernel crash or system instability. Such a crash can lead to denial of service (DoS) conditions where the affected system becomes unresponsive or requires a reboot.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by ensuring that the initialization of hu->priv is completed before any work is scheduled. Specifically, the fix involves moving the set_bit(HCI_UART_PROTO_INIT) call to after proto->open() succeeds.
To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.