CVE-2026-23146

Published: Feb 14, 2026

Modified: May 23, 2026

PUBLISHED

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling hci_uart_register_dev(), which calls proto->open() to initialize hu->priv. However, if a TTY write wakeup occurs during this window, hci_uart_tx_wakeup() may schedule write_work before hu->priv is initialized, leading to a NULL pointer dereference in hci_uart_write_work() when proto->dequeue() accesses hu->priv. The race condition is: CPU0 CPU1 ---- ---- hci_uart_set_proto() set_bit(HCI_UART_PROTO_INIT) hci_uart_register_dev() tty write wakeup hci_uart_tty_wakeup() hci_uart_tx_wakeup() schedule_work(&hu->write_work) proto->open(hu) // initializes hu->priv hci_uart_write_work() hci_uart_dequeue() proto->dequeue(hu) // accesses hu->priv (NULL!) Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open() succeeds, ensuring hu->priv is initialized before any work can be scheduled.

Vendor	Product	Versions
Linux	Linux	affected `a40f94f7caa8d3421b64f63ac31bc0f24c890f39 - < b0a900939e7e4866d9b90e9112514b72c451e873` affected `9e5a0f5777162e503400c70c6ed25fbbe2d38799 - < ccc683f597ceb28deb966427ae948e5ac739a909` affected `80f14e9de6a43a0bd8194cad1003a3e6dcbc3984 - < 937a573423ce5a96fdb1fd425dc6b8d8d4ab5779` affected `02e1bcdfdf769974e7e9fa285e295cd9852e2a38 - < 186d147cf7689ba1f9b3ddb753ab634a84940cc9` affected `281782d2c6730241e300d630bb9f200d831ede71 - < 53e54cb31e667fca05b1808b990eac0807d1dab0` +13 more versions
Linux	Linux	affected `6.15` unaffected `0 - < 6.15` unaffected `5.10.249 - <= 5.10.` unaffected `5.15.199 - <= 5.15.` unaffected `6.1.162 - <= 6.1.*` +4 more versions