CVE-2022-50339

HIGH

Linux Kernel 6.0-6.0.3 - Race Condition in Bluetooth HCI Management Flag Handling

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev() syzbot is again reporting attempt to cancel uninitialized work at mgmt_index_removed() [1], for setting of HCI_MGMT flag from mgmt_init_hdev() from hci_mgmt_cmd() from hci_sock_sendmsg() can race with testing of HCI_MGMT flag from mgmt_index_removed() from hci_sock_bind() due to lack of serialization via hci_dev_lock(). Since mgmt_init_hdev() is called with mgmt_chan_list_lock held, we can safely split hci_dev_test_and_set_flag() into hci_dev_test_flag() and hci_dev_set_flag(). Thus, in order to close this race, set HCI_MGMT flag after INIT_DELAYED_WORK() completed. This is a local fix based on mgmt_chan_list_lock. Lack of serialization via hci_dev_lock() might be causing different race conditions somewhere else. But a global fix based on hci_dev_lock() should deserve a future patch.

References (2)

Core 2

Core References

Patch

https://git.kernel.org/stable/c/e53c6180db8dd09de94e0a3bdf4fef6f5f9dd6e6

Patch

https://git.kernel.org/stable/c/f74ca25d6d6629ffd4fd80a1a73037253b57d06b

Scores

CVSS v3 7.0

EPSS 0.0010

EPSS Percentile 1.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-362

Status published

Products (8)

linux/Kernel 6.0.0 - 6.0.3linux

Linux/Linux < 6.0

Linux/Linux 3f2893d3c142986aa935821460cb3adb77044722 - e53c6180db8dd09de94e0a3bdf4fef6f5f9dd6e6

Linux/Linux 3f2893d3c142986aa935821460cb3adb77044722 - f74ca25d6d6629ffd4fd80a1a73037253b57d06b

Linux/Linux 6.0

Linux/Linux 6.0.3 - 6.0.*

Linux/Linux 6.1

linux/linux_kernel 6.0 - 6.0.3

Published Sep 16, 2025

Tracked Since Feb 18, 2026