CVE-2026-43119
Awaiting Analysis Awaiting Analysis - Queue
Race Condition in Linux Kernel Bluetooth Subsystem

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: annotate data-races around hdev->req_status __hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock: hdev->req_status = HCI_REQ_PEND; However, several other functions read or write hdev->req_status without holding any lock: - hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue) - hci_cmd_sync_complete() reads/writes from HCI event completion - hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write - hci_abort_conn() reads in connection abort path Since __hci_cmd_sync_sk() runs on hdev->req_workqueue while hci_send_cmd_sync() runs on hdev->workqueue, these are different workqueues that can execute concurrently on different CPUs. The plain C accesses constitute a data race. Add READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses to hdev->req_status to prevent potential compiler optimizations that could affect correctness (e.g., load fusing in the wait_event condition or store reordering).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43119
EUVD
EUVD-2026-27647
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability involves data races in the Linux kernel Bluetooth hci_sync code related to concurrent access to hdev->req_status without proper locking.

To mitigate this vulnerability, update your Linux kernel to a version where this issue is resolved by adding READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses to hdev->req_status.

Executive Summary

This vulnerability in the Linux kernel's Bluetooth subsystem involves a data race condition around the variable hdev->req_status. The function __hci_cmd_sync_sk() sets this variable while holding a lock, but several other functions read or write to it without any locking. Since these functions run on different workqueues that can execute concurrently on different CPUs, the unsynchronized access leads to a data race.

The issue arises because concurrent accesses to hdev->req_status are not properly synchronized, which can cause incorrect behavior due to compiler optimizations like load fusing or store reordering. The fix involved adding READ_ONCE()/WRITE_ONCE() annotations to all concurrent accesses to ensure correct memory access ordering.

Impact Analysis

This vulnerability can lead to unpredictable behavior in the Bluetooth subsystem of the Linux kernel due to data races on the hdev->req_status variable. Such data races can cause incorrect synchronization, potentially resulting in failures or instability in Bluetooth command processing.

While the exact impact is not detailed, data races can cause erratic system behavior, crashes, or security issues if exploited, affecting the reliability and stability of Bluetooth communications on affected systems.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43119. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart