HIGH
bluetooth hci_ldisc ProtoInit Deref
CVE-2026-53073
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error When hci_register_dev() fails in hci_uart_register_dev() HCI_UART_PROTO_INIT is not cleared before calling hu->proto->close(hu) and setting hu->hdev to NULL. This means incoming UART data will reach the protocol-specific recv handler in hci_uart_tty_receive() after resources are freed. Clear HCI_UART_PROTO_INIT with a write lock before calling hu->proto->close() and setting hu->hdev to NULL. The write lock ensures all active readers have completed and no new reader can enter the protocol recv path before resources are freed. This allows the protocol-specific recv functions to remove the "HCI_UART_REGISTERED" guard without risking a null pointer dereference if hci_register_dev() fails.
02KernelScan AI Analysis
Risk summary
A race condition in the Bluetooth HCI UART line discipline allows incoming UART data to reach a protocol-specific receive handler after resources have been freed when hci_register_dev() fails during initialization. This can result in a NULL pointer dereference or use-after-free, potentially allowing a local attacker with access to a Bluetooth UART device to crash the kernel or escalate privileges. Exploitation requires a specific timing window during device initialization failure.
Vulnerability analysis
The root cause is that when hci_register_dev() fails inside hci_uart_register_dev(), the HCI_UART_PROTO_INIT flag is not cleared before hu->proto->close(hu) is called and hu->hdev is set to NULL. Because HCI_UART_PROTO_INIT remains set, concurrent UART receive activity (hci_uart_tty_receive()) can still enter the protocol-specific recv handler after resources have been freed, leading to NULL pointer dereference or use-after-free on the freed hdev or protocol state. The fix acquires a percpu write lock before clearing HCI_UART_PROTO_INIT, ensuring all active readers have completed and no new reader can enter the recv path before the cleanup proceeds. This is a local race condition requiring a Bluetooth UART device and a specific failure path during initialization, making it High complexity to trigger reliably.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | ebb39b2d8173 |
| 5.15 | 5.15.209 | ed4033fb85cc |
| 5.4 | 5.5 | 3daa5818e473 |
| 6.1 | 6.1.175 | 356dee1bcac4 |
| 6.12 | 6.12.91 | f4b69c35813c |
| 6.13 | 6.14 | 194f029a4d7f |
| 6.14 | 6.15 | 68d39ea5e0ad |
| 6.18 | 6.18.33 | — |
| 6.6 | 6.6.141 | a673cf6c4ac7 |
| 7.0 | 7.0.10 | — |
| mainline | 7.1 | — |