CVE-2026-46275
Received Received - Intake
Use-After-Free and Race Conditions in Linux Kernel Bluetooth HCI UART

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths Vulnerabilities leading to Use-After-Free (UAF) and Null Pointer Dereference (NPD) conditions were observed in the lifecycle management of hci_uart. The primary issue arises because the workqueues (init_ready and write_work) are only flushed/cancelled if the HCI_UART_PROTO_READY flag is set during TTY close. If a hangup occurs before setup completes, hci_uart_tty_close() skips the teardown of these workqueues and proceeds to free the `hu` struct. When the scheduled work executes later, it blindly dereferences the freed `hu` struct. Furthermore, several data races and UAFs were identified in the teardown sequence: 1. Calling hci_uart_flush() from hci_uart_close() without effectively disabling write_work causes a race condition where both can concurrently double-free hu->tx_skb. This happens because protocol timers can concurrently invoke hci_uart_tx_wakeup() and requeue write_work. 2. Calling hci_free_dev(hdev) before hu->proto->close(hu) causes a UAF when vendor specific protocol close callbacks dereference hu->hdev. 3. In the initialization error paths, failing to take the proto_lock write lock before clearing PROTO_READY leads to races with active readers. Additionally, hci_uart_tty_receive() accesses hu->hdev outside the read lock, leading to UAFs if the initialization error path frees hdev concurrently. Fix these synchronization and lifecycle issues by: 1. Re-ordering hci_uart_tty_close() to clear HCI_UART_PROTO_READY first, followed immediately by a cancel_work_sync(&hu->write_work). Clearing the flag locks out concurrent protocol timers from successfully invoking hci_uart_tx_wakeup(), effectively rendering the cancellation permanent and preventing the tx_skb double-free. 2. Note: Clearing PROTO_READY early causes hci_uart_close() to skip hu->proto->flush(). This is perfectly safe in the tty_close path because hu->proto->close() executes shortly after, which intrinsically purges all protocol SKB queues and tears down the state. 3. Relocating hu->proto->close(hu) strictly prior to hci_free_dev(hdev) across all close and error paths to prevent vendor-level UAFs. 4. Moving the hdev->stat.byte_rx increment in hci_uart_tty_receive() inside the proto_lock read-side critical section to safely synchronize with device unregistration. 5. Adding cancel_work_sync(&hu->write_work) to hci_uart_close() to safely flush the workqueue before hci_uart_flush() is invoked via the HCI core. 6. Utilizing cancel_work_sync() instead of disable_work_sync() across all paths to prevent permanently breaking user-space retry capabilities.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-46275
EUVD
EUVD-2026-35079
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth hci_uart component, where Use-After-Free (UAF) and race conditions occur during the close and initialization paths of the hci_uart lifecycle.

The main problem is that certain workqueues are only cancelled if a specific flag (HCI_UART_PROTO_READY) is set during TTY close. If a hangup happens before setup completes, the teardown of these workqueues is skipped and the associated structure is freed. Later, scheduled work tries to access this freed structure, causing UAF.

Additional issues include race conditions and double-free errors caused by improper synchronization when flushing and closing the device, as well as accessing freed memory during initialization error paths.

The fix involves reordering operations to clear flags and cancel workqueues earlier, relocating protocol close callbacks before freeing device structures, and improving locking to prevent concurrent access to freed memory.

Impact Analysis

This vulnerability can lead to Use-After-Free conditions and race conditions in the Bluetooth subsystem of the Linux kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service by exploiting these memory errors.

Mitigation Strategies

To mitigate this vulnerability in the Linux kernel Bluetooth hci_uart component, immediate steps include applying the patch or update that fixes the use-after-free and race conditions in the close and init paths.

  • Ensure that hci_uart_tty_close() clears the HCI_UART_PROTO_READY flag before cancelling the write_work to prevent concurrent protocol timers from invoking hci_uart_tx_wakeup().
  • Make sure hu->proto->close(hu) is called strictly before hci_free_dev(hdev) in all close and error paths to avoid vendor-level use-after-free issues.
  • Use cancel_work_sync() instead of disable_work_sync() to safely flush workqueues without breaking user-space retry capabilities.
  • Update the kernel to the fixed version that includes these synchronization and lifecycle management improvements.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46275. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart