CVE-2026-23146

Description

In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_workhci_uart_set_proto() sets HCI_UART_PROTO_INIT before callinghci_uart_register_dev(), which calls proto->open() to initializehu->priv. However, if a TTY write wakeup occurs during this window,hci_uart_tx_wakeup() may schedule write_work before hu->priv isinitialized, leading to a null pointer dereference inhci_uart_write_work() when proto->dequeue() accesses hu->priv.The race condition is: CPU0 CPU1 ---- ---- hci_uart_set_proto() set_bit(HCI_UART_PROTO_INIT) hci_uart_register_dev() tty write wakeup hci_uart_tty_wakeup() hci_uart_tx_wakeup() schedule_work(&hu->write_work) proto->open(hu) // initializes hu->priv hci_uart_write_work() hci_uart_dequeue() proto->dequeue(hu) // accesses hu->priv (null!)Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()succeeds, ensuring hu->priv is initialized before any work can bescheduled.

Risk Information

Base Score

5.3

MODERATE

Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

EPSS Score

Exploitation Probability

0.032

Associated Vulnerability

No records found

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234