HIGH 7.8

CVE-2026-46275: Linux Kernel Bluetooth HCI UART Use-After-Free & Race Condition Vulnerability

A series of use-after-free and race condition bugs exist in the Linux kernel's Bluetooth HCI UART driver lifecycle management. The vulnerabilities occur when the driver tears down connections or encounters initialization failures. In particular, if a device disconnects before setup completes, or if multiple operations race during shutdown, the driver may attempt to access memory that has already been freed. This can lead to crashes or potentially allow local code execution. The root cause involves improper ordering of cleanup steps and inadequate synchronization between concurrent workqueues and teardown sequences.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-362
Affected products
5 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths Vulnerabilities leading to Use-After-Free (UAF) and Null Pointer Dereference (NPD) conditions were observed in the lifecycle management of hci_uart. The primary issue arises because the workqueues (init_ready and write_work) are only flushed/cancelled if the HCI_UART_PROTO_READY flag is set during TTY close. If a hangup occurs before setup completes, hci_uart_tty_close() skips the teardown of these workqueues and proceeds to free the `hu` struct. When the scheduled work executes later, it blindly dereferences the freed `hu` struct. Furthermore, several data races and UAFs were identified in the teardown sequence: 1. Calling hci_uart_flush() from hci_uart_close() without effectively disabling write_work causes a race condition where both can concurrently double-free hu->tx_skb. This happens because protocol timers can concurrently invoke hci_uart_tx_wakeup() and requeue write_work. 2. Calling hci_free_dev(hdev) before hu->proto->close(hu) causes a UAF when vendor specific protocol close callbacks dereference hu->hdev. 3. In the initialization error paths, failing to take the proto_lock write lock before clearing PROTO_READY leads to races with active readers. Additionally, hci_uart_tty_receive() accesses hu->hdev outside the read lock, leading to UAFs if the initialization error path frees hdev concurrently. Fix these synchronization and lifecycle issues by: 1. Re-ordering hci_uart_tty_close() to clear HCI_UART_PROTO_READY first, followed immediately by a cancel_work_sync(&hu->write_work). Clearing the flag locks out concurrent protocol timers from successfully invoking hci_uart_tx_wakeup(), effectively rendering the cancellation permanent and preventing the tx_skb double-free. 2. Note: Clearing PROTO_READY early causes hci_uart_close() to skip hu->proto->flush(). This is perfectly safe in the tty_close path because hu->proto->close() executes shortly after, which intrinsically purges all protocol SKB queues and tears down the state. 3. Relocating hu->proto->close(hu) strictly prior to hci_free_dev(hdev) across all close and error paths to prevent vendor-level UAFs. 4. Moving the hdev->stat.byte_rx increment in hci_uart_tty_receive() inside the proto_lock read-side critical section to safely synchronize with device unregistration. 5. Adding cancel_work_sync(&hu->write_work) to hci_uart_close() to safely flush the workqueue before hci_uart_flush() is invoked via the HCI core. 6. Utilizing cancel_work_sync() instead of disable_work_sync() across all paths to prevent permanently breaking user-space retry capabilities.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46275 addresses multiple synchronization defects in the hci_uart driver's initialization and close paths. The vulnerabilities manifest as use-after-free (UAF) and null pointer dereference (NPD) conditions stemming from three main issues: (1) workqueues (init_ready and write_work) are conditionally flushed only if HCI_UART_PROTO_READY is set, causing deferred work to dereference freed `hu` structures if a hangup occurs pre-setup; (2) concurrent invocations of hci_uart_flush() and write_work can double-free hu->tx_skb when protocol timers trigger hci_uart_tx_wakeup() during teardown; and (3) incorrect ordering allows hci_free_dev(hdev) to be called before hu->proto->close(hu), and hci_uart_tty_receive() accesses hu->hdev outside read-lock protection, creating UAF windows during error-path unregistration. The fix reorders the close sequence to clear HCI_UART_PROTO_READY and immediately cancel write_work, relocates proto->close() before hci_free_dev(), moves byte_rx accounting into proto_lock critical sections, and uses cancel_work_sync() consistently to prevent permanent disabling of user-space retry paths.

Business impact

Local attackers with unprivileged access to the system can trigger memory corruption or denial-of-service conditions by forcing Bluetooth device disconnections or initialization failures. The high severity rating (CVSS 7.8) reflects the potential for local privilege escalation, information disclosure, or system instability. On systems where Bluetooth is actively used (laptops, IoT devices, servers with Bluetooth adapters), exploiting these races could lead to kernel panics, authentication bypass, or unintended exposure of sensitive data processed via Bluetooth channels. Organizations relying on Bluetooth connectivity for device communication should treat this as a priority patch to maintain system reliability and security posture.

Affected systems

This vulnerability affects all versions of the Linux kernel prior to the patched release. Any system running a vulnerable kernel build with Bluetooth HCI UART support enabled is at risk. This includes the vast majority of Linux distributions (Ubuntu, Debian, RHEL, SUSE, Fedora, and others) as well as custom kernels with Bluetooth configured. The vulnerability is particularly relevant for desktop and laptop systems, edge computing platforms, and IoT devices that rely on Bluetooth connectivity. Server environments with Bluetooth adapters installed or enabled are also affected. Verify your kernel version and Bluetooth module status against the vendor advisory for your specific distribution.

Exploitability

Exploitation requires local access to the system and the ability to trigger Bluetooth device state transitions or initialization failures. An unprivileged local user can force these conditions by initiating device pairings, disconnections, or by inducing hardware hangups. No remote exploitation vector exists. The race conditions are triggered by specific timing windows during device lifecycle events, making reliable exploitation somewhat timing-dependent, though the underlying defects are deterministic. The vulnerability does not require special privileges to initiate the triggering events, lowering the barrier to attack.

Remediation

Apply the kernel patch that resolves hci_uart lifecycle management by reordering the close sequence to clear HCI_UART_PROTO_READY and cancel write_work first, moving proto->close() before hci_free_dev(), protecting hci_uart_tty_receive() accesses with proper locking, and ensuring consistent use of cancel_work_sync(). Verify the patch version against your Linux distribution's advisory, as stable kernel branches may have been patched at different times. After patching, rebuild and redeploy the kernel, or use your distribution's kernel update mechanism. For interim risk reduction on systems with low Bluetooth usage, disabling Bluetooth via firmware or kernel module blacklisting provides temporary protection, though this is not a substitute for patching.

Patch guidance

Obtain the patched kernel version from your Linux distribution's security update channel. Ubuntu, Debian, RHEL, and other major distributions typically publish CVE fixes in regular kernel updates within weeks of upstream resolution. Check your distribution's advisory page for CVE-2026-46275 to identify the specific patched kernel version. Once the patched version is identified, apply it using your system's package manager (apt, yum, dnf, zypper, etc.), reboot, and verify the new kernel is active via `uname -r`. For custom kernel builds, cherry-pick the upstream commit addressing the hci_uart lifecycle issues into your build tree, recompile, and redeploy. Test Bluetooth functionality post-patch in your environment before rolling out widely.

Detection guidance

Monitor system logs for kernel BUG, Oops, or panic messages containing 'hci_uart', 'use-after-free', or 'NULL pointer dereference' in the Bluetooth subsystem. Deploy kernel sanitizers (KASAN, KFENCE) in test or staging environments to detect memory corruption early. Intrusion detection systems may flag patterns of repeated Bluetooth connection failures or device initialization errors followed by kernel crashes. In production, baseline your kernel version and Bluetooth module configuration; deviations may indicate emergency patches applied. Correlate Bluetooth hardware logs with system-level crashes to identify exploitation attempts. Automated vulnerability scanners can identify vulnerable kernel versions; integrate these into your patching workflow.

Why prioritize this

This vulnerability merits immediate patching for any system with Bluetooth enabled due to the high CVSS score (7.8), local attack vector requiring minimal privilege, and potential for kernel crashes or privilege escalation. The race conditions are triggered by routine Bluetooth operations (pairing, disconnection), making them likely to be encountered in normal usage. The fix is well-tested upstream and available through standard distribution channels, eliminating complexity as a barrier to remediation. Organizations should prioritize laptops, IoT devices, and edge systems with active Bluetooth use.

Risk score, explained

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H yields a score of 7.8 (HIGH). The local attack vector (AV:L) reflects the requirement for local system access. Low attack complexity (AC:L) indicates the race conditions are reliably triggered through normal Bluetooth lifecycle operations. Low privilege requirement (PR:L) allows unprivileged users to initiate device disconnections and initialization failures. The absence of user interaction (UI:N) means the exploit does not require social engineering. Unchanged scope (S:U) means the impact is confined to the vulnerable system. High confidentiality (C:H), integrity (I:H), and availability (A:H) impacts reflect potential data disclosure, system compromise, and denial of service through kernel crashes or privilege escalation.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. This vulnerability requires local access to the system. An attacker must be able to execute local operations or trigger Bluetooth state transitions on the target device. Remote Bluetooth attacks are out of scope for CVE-2026-46275.

Do I need to disable Bluetooth entirely to mitigate this risk?

Disabling Bluetooth is not necessary if you promptly apply the kernel patch. However, if patching is delayed and your system does not rely on Bluetooth, temporarily disabling the module via `sudo modprobe -r bluetooth` or blacklisting it in /etc/modprobe.d provides interim protection until the patch is deployed.

What is the difference between this fix and simply rebooting?

Rebooting temporarily alleviates symptoms (crashes restart the system) but does not address the underlying vulnerability. Once the kernel is rebooted with the patched version, the race conditions are eliminated at the source. Without the patch, the same triggering conditions will cause the issue to recur.

Are there indicators of exploitation in system logs?

Yes. Look for kernel panic messages, Oops dumps, or BUG messages mentioning hci_uart, use-after-free, or NULL pointer dereference in the Bluetooth subsystem. Repeated unexpected Bluetooth device disconnections or initialization failures followed by system crashes are strong indicators. Check dmesg and /var/log/kern.log on Linux systems.

This analysis is based on the publicly disclosed vulnerability description and CVSS scoring. Actual exploitability and impact may vary depending on kernel configuration, hardware, and runtime conditions. Readers should consult their Linux distribution's official security advisory for authoritative patch versions, testing recommendations, and deployment timelines. SEC.co provides this information for informational purposes; organizations should conduct their own risk assessments and testing before deploying patches in production environments. No proof-of-concept code, exploitation techniques, or weaponized details are provided or endorsed. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).