CVE-2026-31500
Received Received - Intake
Use-After-Free in Linux Bluetooth btintel Driver Causes Kernel Crash

Publication date: 2026-04-22

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET and Intel exception-info retrieval) without holding hci_req_sync_lock(). This lets it race against hci_dev_do_close() -> btintel_shutdown_combined(), which also runs __hci_cmd_sync() under the same lock. When both paths manipulate hdev->req_status/req_rsp concurrently, the close path may free the response skb first, and the still-running hw_error path hits a slab-use-after-free in kfree_skb(). Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it is serialized with every other synchronous HCI command issuer. Below is the data race report and the kasan report: BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined read of hdev->req_rsp at net/bluetooth/hci_sync.c:199 by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254 hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030 write/free by task ioctl/22580: btintel_shutdown_combined+0xd0/0x360 drivers/bluetooth/btintel.c:3648 hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246 hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526 BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202 Read of size 4 at addr ffff888144a738dc by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31500
EUVD
EUVD-2026-24876
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 4.3
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
linux linux_kernel From 4.3.1 (inc) to 6.6.131 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability has been resolved by serializing the btintel_hw_error() function with hci_req_sync_lock to prevent race conditions. Immediate mitigation involves updating the Linux kernel to a version where this fix is applied.

Specifically, ensure your system is running a Linux kernel version that includes the patch wrapping the recovery sequence in hci_req_sync_lock/unlock to serialize synchronous HCI command issuers.

Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth subsystem, specifically in the btintel driver. The function btintel_hw_error() issues two synchronous HCI commands without holding the hci_req_sync_lock(), which leads to a race condition with the close path (hci_dev_do_close() -> btintel_shutdown_combined()) that also uses the same lock. Because both paths manipulate shared data concurrently without proper synchronization, the close path may free a response buffer while the hw_error path is still using it, causing a use-after-free error in memory.

The fix involves wrapping the entire recovery sequence in the hci_req_sync_lock/unlock to serialize access and prevent the race condition.

Impact Analysis

This vulnerability can lead to a use-after-free condition in the Bluetooth driver, which may cause system instability, crashes, or potential kernel memory corruption. Such issues could be exploited to cause denial of service or potentially escalate privileges if an attacker can trigger the race condition.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart