CVE-2026-23146

MEDIUM

Linux kernel - Null Pointer Dereference

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling hci_uart_register_dev(), which calls proto->open() to initialize hu->priv. However, if a TTY write wakeup occurs during this window, hci_uart_tx_wakeup() may schedule write_work before hu->priv is initialized, leading to a NULL pointer dereference in hci_uart_write_work() when proto->dequeue() accesses hu->priv. The race condition is: CPU0 CPU1 ---- ---- hci_uart_set_proto() set_bit(HCI_UART_PROTO_INIT) hci_uart_register_dev() tty write wakeup hci_uart_tty_wakeup() hci_uart_tx_wakeup() schedule_work(&hu->write_work) proto->open(hu) // initializes hu->priv hci_uart_write_work() hci_uart_dequeue() proto->dequeue(hu) // accesses hu->priv (NULL!) Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open() succeeds, ensuring hu->priv is initialized before any work can be scheduled.

References (7)

Scores

CVSS v3 5.5
EPSS 0.0002
EPSS Percentile 4.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-476
Status published
Products (27)
linux/Kernel < 5.10.249linux
linux/Kernel 5.11.0 - 5.15.199linux
linux/Kernel 5.16.0 - 6.1.162linux
linux/Kernel 6.13.0 - 6.18.9linux
linux/Kernel 6.2.0 - 6.6.123linux
linux/Kernel 6.7.0 - 6.12.69linux
Linux/Linux < 6.15
Linux/Linux 02e1bcdfdf769974e7e9fa285e295cd9852e2a38 - 186d147cf7689ba1f9b3ddb753ab634a84940cc9
Linux/Linux 1dcf08fcff5ca529de6dc0395091f28854f4e54a
Linux/Linux 281782d2c6730241e300d630bb9f200d831ede71 - 53e54cb31e667fca05b1808b990eac0807d1dab0
... and 17 more
Published Feb 14, 2026
Tracked Since Feb 18, 2026