{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23146", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.974Z", "datePublished": "2026-02-14T16:01:16.169Z", "dateUpdated": "2026-05-11T22:01:05.964Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:01:05.964Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work\n\nhci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling\nhci_uart_register_dev(), which calls proto->open() to initialize\nhu->priv. However, if a TTY write wakeup occurs during this window,\nhci_uart_tx_wakeup() may schedule write_work before hu->priv is\ninitialized, leading to a NULL pointer dereference in\nhci_uart_write_work() when proto->dequeue() accesses hu->priv.\n\nThe race condition is:\n\n CPU0 CPU1\n ---- ----\n hci_uart_set_proto()\n set_bit(HCI_UART_PROTO_INIT)\n hci_uart_register_dev()\n tty write wakeup\n hci_uart_tty_wakeup()\n hci_uart_tx_wakeup()\n schedule_work(&hu->write_work)\n proto->open(hu)\n // initializes hu->priv\n hci_uart_write_work()\n hci_uart_dequeue()\n proto->dequeue(hu)\n // accesses hu->priv (NULL!)\n\nFix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()\nsucceeds, ensuring hu->priv is initialized before any work can be\nscheduled."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/bluetooth/hci_ldisc.c"], "versions": [{"version": "a40f94f7caa8d3421b64f63ac31bc0f24c890f39", "lessThan": "b0a900939e7e4866d9b90e9112514b72c451e873", "status": "affected", "versionType": "git"}, {"version": "9e5a0f5777162e503400c70c6ed25fbbe2d38799", "lessThan": "ccc683f597ceb28deb966427ae948e5ac739a909", "status": "affected", "versionType": "git"}, {"version": "80f14e9de6a43a0bd8194cad1003a3e6dcbc3984", "lessThan": "937a573423ce5a96fdb1fd425dc6b8d8d4ab5779", "status": "affected", "versionType": "git"}, {"version": "02e1bcdfdf769974e7e9fa285e295cd9852e2a38", "lessThan": "186d147cf7689ba1f9b3ddb753ab634a84940cc9", "status": "affected", "versionType": "git"}, {"version": "281782d2c6730241e300d630bb9f200d831ede71", "lessThan": "53e54cb31e667fca05b1808b990eac0807d1dab0", "status": "affected", "versionType": "git"}, {"version": "5df5dafc171b90d0b8d51547a82657cd5a1986c7", "lessThan": "03e8c90c62233382042b7bd0fa8b8900552fdb62", "status": "affected", "versionType": "git"}, {"version": "5df5dafc171b90d0b8d51547a82657cd5a1986c7", "lessThan": "0c3cd7a0b862c37acbee6d9502107146cc944398", "status": "affected", "versionType": "git"}, {"version": "1dcf08fcff5ca529de6dc0395091f28854f4e54a", "status": "affected", "versionType": "git"}, {"version": "8e5aff600539e5faea294d9612cca50220e602b8", "status": "affected", "versionType": "git"}, {"version": "db7509fa110dd9b11134b75894677f30353b2c51", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/bluetooth/hci_ldisc.c"], "versions": [{"version": "6.15", "status": "affected"}, {"version": "0", "lessThan": "6.15", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.123", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.69", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.9", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.237", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.181", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.135", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.88", "versionEndExcluding": "6.6.123"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.24", "versionEndExcluding": "6.12.69"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.293"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14.3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b0a900939e7e4866d9b90e9112514b72c451e873"}, {"url": "https://git.kernel.org/stable/c/ccc683f597ceb28deb966427ae948e5ac739a909"}, {"url": "https://git.kernel.org/stable/c/937a573423ce5a96fdb1fd425dc6b8d8d4ab5779"}, {"url": "https://git.kernel.org/stable/c/186d147cf7689ba1f9b3ddb753ab634a84940cc9"}, {"url": "https://git.kernel.org/stable/c/53e54cb31e667fca05b1808b990eac0807d1dab0"}, {"url": "https://git.kernel.org/stable/c/03e8c90c62233382042b7bd0fa8b8900552fdb62"}, {"url": "https://git.kernel.org/stable/c/0c3cd7a0b862c37acbee6d9502107146cc944398"}], "title": "Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D6F83CA-7E5C-4A91-9D8C-71CC85535E7D", "versionEndExcluding": "5.5", "versionStartIncluding": "5.4.293", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "339F6FF4-79D2-49BC-9E0D-68FB6F1201E9", "versionEndExcluding": "5.10.249", "versionStartIncluding": "5.10.237", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FDF3BBC9-1D58-4300-AD4C-591A4919AAC0", "versionEndExcluding": "5.15.199", "versionStartIncluding": "5.15.181", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B08612A5-165F-449C-B5B5-6830D99A6A48", "versionEndExcluding": "6.1.162", "versionStartIncluding": "6.1.135", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D79ED79-3597-4CCE-95EF-DED9FD319AA1", "versionEndExcluding": "6.6.123", "versionStartIncluding": "6.6.88", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8AE027B-66A3-434F-AC67-50F44A6A41EF", "versionEndExcluding": "6.12.69", "versionStartIncluding": "6.12.24", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1F1E5FF-68CB-46CE-BC4F-8E19FA72A921", "versionEndExcluding": "6.14", "versionStartIncluding": "6.13.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0FBCCA71-8616-4922-B963-927778DB4B44", "versionEndExcluding": "6.18.9", "versionStartIncluding": "6.14.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work\n\nhci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling\nhci_uart_register_dev(), which calls proto->open() to initialize\nhu->priv. However, if a TTY write wakeup occurs during this window,\nhci_uart_tx_wakeup() may schedule write_work before hu->priv is\ninitialized, leading to a NULL pointer dereference in\nhci_uart_write_work() when proto->dequeue() accesses hu->priv.\n\nThe race condition is:\n\n CPU0 CPU1\n ---- ----\n hci_uart_set_proto()\n set_bit(HCI_UART_PROTO_INIT)\n hci_uart_register_dev()\n tty write wakeup\n hci_uart_tty_wakeup()\n hci_uart_tx_wakeup()\n schedule_work(&hu->write_work)\n proto->open(hu)\n // initializes hu->priv\n hci_uart_write_work()\n hci_uart_dequeue()\n proto->dequeue(hu)\n // accesses hu->priv (NULL!)\n\nFix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()\nsucceeds, ensuring hu->priv is initialized before any work can be\nscheduled."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nBluetooth: hci_uart: correcci\u00f3n de desreferencia de puntero nulo en hci_uart_write_work\n\nhci_uart_set_proto() establece HCI_UART_PROTO_INIT antes de llamar a hci_uart_register_dev(), que llama a proto->open() para inicializar hu->priv. Sin embargo, si una activaci\u00f3n de escritura TTY ocurre durante esta ventana, hci_uart_tx_wakeup() puede programar write_work antes de que hu->priv sea inicializado, lo que lleva a una desreferencia de puntero NULL en hci_uart_write_work() cuando proto->dequeue() accede a hu->priv.\n\nLa condici\u00f3n de carrera es:\n\n CPU0 CPU1\n ---- ----\n hci_uart_set_proto()\n set_bit(HCI_UART_PROTO_INIT)\n hci_uart_register_dev()\n activaci\u00f3n de escritura tty\n hci_uart_tty_wakeup()\n hci_uart_tx_wakeup()\n schedule_work(&hu->write_work)\n proto->open(hu)\n // inicializa hu->priv\n hci_uart_write_work()\n hci_uart_dequeue()\n proto->dequeue(hu)\n // accede a hu->priv (\u00a1NULL!)\n\nEsto se soluciona moviendo set_bit(HCI_UART_PROTO_INIT) despu\u00e9s de que proto->open() se complete con \u00e9xito, asegurando que hu->priv est\u00e9 inicializado antes de que se pueda programar cualquier trabajo."}], "id": "CVE-2026-23146", "lastModified": "2026-03-17T21:13:01.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-14T16:15:54.703", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/03e8c90c62233382042b7bd0fa8b8900552fdb62"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0c3cd7a0b862c37acbee6d9502107146cc944398"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/186d147cf7689ba1f9b3ddb753ab634a84940cc9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/53e54cb31e667fca05b1808b990eac0807d1dab0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/937a573423ce5a96fdb1fd425dc6b8d8d4ab5779"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b0a900939e7e4866d9b90e9112514b72c451e873"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ccc683f597ceb28deb966427ae948e5ac739a909"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work", "id": "2439882", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439882"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work\nhci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling\nhci_uart_register_dev(), which calls proto->open() to initialize\nhu->priv. However, if a TTY write wakeup occurs during this window,\nhci_uart_tx_wakeup() may schedule write_work before hu->priv is\ninitialized, leading to a NULL pointer dereference in\nhci_uart_write_work() when proto->dequeue() accesses hu->priv.\nThe race condition is:\nCPU0 CPU1\n---- ----\nhci_uart_set_proto()\nset_bit(HCI_UART_PROTO_INIT)\nhci_uart_register_dev()\ntty write wakeup\nhci_uart_tty_wakeup()\nhci_uart_tx_wakeup()\nschedule_work(&hu->write_work)\nproto->open(hu)\n// initializes hu->priv\nhci_uart_write_work()\nhci_uart_dequeue()\nproto->dequeue(hu)\n// accesses hu->priv (NULL!)\nFix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()\nsucceeds, ensuring hu->priv is initialized before any work can be\nscheduled."], "name": "CVE-2026-23146", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23146\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23146\nhttps://lore.kernel.org/linux-cve-announce/2026021411-CVE-2026-23146-3658@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a40f94f7caa8d3421b64f63ac31bc0f24c890f39,b0a900939e7e4866d9b90e9112514b72c451e873)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9e5a0f5777162e503400c70c6ed25fbbe2d38799,ccc683f597ceb28deb966427ae948e5ac739a909)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[80f14e9de6a43a0bd8194cad1003a3e6dcbc3984,937a573423ce5a96fdb1fd425dc6b8d8d4ab5779)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[02e1bcdfdf769974e7e9fa285e295cd9852e2a38,186d147cf7689ba1f9b3ddb753ab634a84940cc9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[281782d2c6730241e300d630bb9f200d831ede71,53e54cb31e667fca05b1808b990eac0807d1dab0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5df5dafc171b90d0b8d51547a82657cd5a1986c7,03e8c90c62233382042b7bd0fa8b8900552fdb62)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5df5dafc171b90d0b8d51547a82657cd5a1986c7,0c3cd7a0b862c37acbee6d9502107146cc944398)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "1dcf08fcff5ca529de6dc0395091f28854f4e54a"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "8e5aff600539e5faea294d9612cca50220e602b8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "db7509fa110dd9b11134b75894677f30353b2c51"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.15"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.249,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.199,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.162,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.123,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.69,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.9,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-17T19:36:53.819781+00:00", "value": {"mitigation_remediation": ["Apply the kernel update that includes the hci_uart fix (for example, upgrade to Linux kernel 6.19.1 or later).", "If an immediate update is not possible, apply the upstream patch that moves set_bit(HCI_UART_PROTO_INIT) after proto->open() and recompile the kernel.", "As a temporary containment measure, disable the Bluetooth HCI UART driver by unloading the module or removing it from the kernel configuration to prevent the race condition from occurring."], "summary": {"action": "Patch Immediately", "impact": "Kernel Crash (Denial of Service)"}, "threat_synthesis": {"affected_systems": "Linux kernel builds containing the hci_uart driver are affected, including the release candidates of version 6.19 (rc1 through rc7) as listed in the CPE data. Administrators running these kernel releases should verify whether the patch has been applied.", "description_and_impact": "The vulnerability is a race condition within the Bluetooth HCI over UART driver; a TTY write wakeup can schedule work before the UART instance is fully set up, causing a null pointer dereference in hci_uart_write_work. This triggers a kernel crash, leading to system unavailability and a forced reboot.", "risk_and_exploitability": "With a CVSS score of 5.5 the flaw is of medium severity, and the EPSS score below 1% indicates a very low likelihood of exploitation. It is not listed in the CISA KEV catalog. Exploitation requires a race between a TTY wakeup and driver initialization, typically needing local privileged access or an active UART interface. Workarounds are limited, making the safest approach to update to a patched kernel version."}}}}, "created": "2026-02-16T12:01:21.033368+00:00", "updated": "2026-04-17T19:45:25.898176+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}