CVE-2026-53073
Received Received - Intake
Bluetooth Stack Use-After-Free in Linux Kernel

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error When hci_register_dev() fails in hci_uart_register_dev() HCI_UART_PROTO_INIT is not cleared before calling hu->proto->close(hu) and setting hu->hdev to NULL. This means incoming UART data will reach the protocol-specific recv handler in hci_uart_tty_receive() after resources are freed. Clear HCI_UART_PROTO_INIT with a write lock before calling hu->proto->close() and setting hu->hdev to NULL. The write lock ensures all active readers have completed and no new reader can enter the protocol recv path before resources are freed. This allows the protocol-specific recv functions to remove the "HCI_UART_REGISTERED" guard without risking a null pointer dereference if hci_register_dev() fails.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53073
EUVD
EUVD-2026-38941
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Bluetooth subsystem, specifically in the hci_ldisc component. When the function hci_register_dev() fails during the process of registering a device in hci_uart_register_dev(), a flag called HCI_UART_PROTO_INIT is not cleared before the protocol's close function is called and the device pointer is set to NULL.

Because the flag is not cleared, incoming UART data can still reach the protocol-specific receive handler (hci_uart_tty_receive()) after the associated resources have been freed. This can lead to unsafe behavior such as accessing invalid memory.

The fix involves clearing the HCI_UART_PROTO_INIT flag with a write lock before calling the protocol's close function and setting the device pointer to NULL. This write lock ensures that all active readers have finished and no new readers can enter the receive path before resources are freed, preventing potential null pointer dereferences.

Impact Analysis

This vulnerability can lead to unsafe memory access in the Bluetooth subsystem of the Linux kernel. Specifically, it may cause null pointer dereferences or other memory corruption issues when incoming UART data is processed after the related resources have been freed.

Such issues can result in system instability, crashes, or potentially allow an attacker to execute arbitrary code or cause denial of service by exploiting the improper handling of Bluetooth UART data.

Mitigation Strategies

The vulnerability is resolved by clearing the HCI_UART_PROTO_INIT flag with a write lock before calling the protocol close function and setting the device pointer to NULL. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

This update ensures that incoming UART data does not reach protocol-specific receive handlers after resources are freed, preventing potential null pointer dereferences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53073. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart