How is CVE-2026-46275 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the target is required. Authentication (required): Any low-privilege local account is sufficient; no elevated or administrative credentials are needed. Victim interaction (not-required): No user interaction or social engineering is required; the attacker triggers the vulnerability entirely through local actions. Attack complexity (info): The exploit is reliable and condition-free at the CVSS level (AC:L), though in practice triggering the race window requires careful timing of workqueue scheduling and TTY teardown events.

What is the impact of CVE-2026-46275?

Reads kernel memory, including credentials, session tokens, and data from other processes sharing the same kernel context. Writes to arbitrary kernel memory, enabling privilege escalation or tampering with kernel data structures. Crashes the affected host by dereferencing freed memory or null pointers, causing a kernel panic and full service disruption. Compromises the Bluetooth stack entirely, potentially affecting all Bluetooth-connected peripherals and their data in transit.

Back to search

HIGHCVE-2026-46275Published 2026-06-08Modified 2026-06-14CNA Linux

CVE-2026-46275: Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths Vulnerabilities leading to Use-After-Free (UAF) and Null Pointer Dereference (NPD) conditions were observed in the lifecycle management of hci_uart. The primary issue arises because the workqueues (init_ready and write_work) are only flushed/cancelled if the HCI_UART_PROTO_READY flag is set during TTY close. If a hangup occurs before setup completes, hci_uart_tty_close() skips the teardown of these workqueues and proceeds to free the `hu` struct. When the scheduled work executes later, it blindly dereferences the freed `hu` struct. Furthermore, several data races and UAFs were identified in the teardown sequence: 1. Calling hci_uart_flush() from hci_uart_close() without effectively disabling write_work causes a race condition where both can concurrently double-free hu->tx_skb. This happens because protocol timers can concurrently invoke hci_uart_tx_wakeup() and requeue write_work. 2. Calling hci_free_dev(hdev) before hu->proto->close(hu) causes a UAF when vendor specific protocol close callbacks dereference hu->hdev. 3. In the initialization error paths, failing to take the proto_lock write lock before clearing PROTO_READY leads to races with active readers. Additionally, hci_uart_tty_receive() accesses hu->hdev outside the read lock, leading to UAFs if the initialization error path frees hdev concurrently. Fix these synchronization and lifecycle issues by: 1. Re-ordering hci_uart_tty_close() to clear HCI_UART_PROTO_READY first, followed immediately by a cancel_work_sync(&hu->write_work). Clearing the flag locks out concurrent protocol timers from successfully invoking hci_uart_tx_wakeup(), effectively rendering the cancellation permanent and preventing the tx_skb double-free. 2. Note: Clearing PROTO_READY early causes hci_uart_close() to skip hu->proto->flush(). This is perfectly safe in the tty_close path because hu->proto->close() executes shortly after, which intrinsically purges all protocol SKB queues and tears down the state. 3. Relocating hu->proto->close(hu) strictly prior to hci_free_dev(hdev) across all close and error paths to prevent vendor-level UAFs. 4. Moving the hdev->stat.byte_rx increment in hci_uart_tty_receive() inside the proto_lock read-side critical section to safely synchronize with device unregistration. 5. Adding cancel_work_sync(&hu->write_work) to hci_uart_close() to safely flush the workqueue before hci_uart_flush() is invoked via the HCI core. 6. Utilizing cancel_work_sync() instead of disable_work_sync() across all paths to prevent permanently breaking user-space retry capabilities.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

Use-after-free (UAF) and race-condition vulnerabilities exist in the Linux kernel's Bluetooth HCI UART driver (hci_uart), affecting kernel versions before the listed fix commits across the 4.15, 4.20, and 5.5 stable branches. The flaws are reachable locally by a low-privileged user who can interact with a Bluetooth UART device, and no network access or victim interaction is required. Successful exploitation gives an attacker full read, write, and crash capabilities over the affected kernel context. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46275 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle an affected Linux kernel version. Any image whose kernel version falls within the vulnerable range is flagged automatically in the registry scan and CI/CD pipeline check.

Available

Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH (v3.1) and weights it against each environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on workload ownership and policy thresholds configured for that environment.

Available

Patch

A patched-image rebuild pinned to the upstream fix commits (targeting the 4.15, 4.20, and 5.5 stable branches) is available on HarborGuard for images running an affected kernel. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
AuthenticationRequired
Any low-privilege local account is sufficient; no elevated or administrative credentials are needed.
Victim interactionNot required
No user interaction or social engineering is required; the attacker triggers the vulnerability entirely through local actions.
Attack complexityDetail
The exploit is reliable and condition-free at the CVSS level (AC:L), though in practice triggering the race window requires careful timing of workqueue scheduling and TTY teardown events.

Blast Radius

Reads kernel memory, including credentials, session tokens, and data from other processes sharing the same kernel context.
Writes to arbitrary kernel memory, enabling privilege escalation or tampering with kernel data structures.
Crashes the affected host by dereferencing freed memory or null pointers, causing a kernel panic and full service disruption.
Compromises the Bluetooth stack entirely, potentially affecting all Bluetooth-connected peripherals and their data in transit.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any image whose bundled Linux kernel falls in the vulnerable range across the 4.15, 4.20, and 5.5 lineages. For customers who opt into auto-remediation, a rebuilt image pinned to the upstream fix commits is generated, a regression test run is executed against the new image, and a PR is opened against affected workloads automatically. Where compliance policy requires manual approval, the rebuilt image and test report are staged and surfaced in the HarborGuard dashboard for one-click promotion. Given the HIGH severity and the local-privilege-escalation impact (full C/I/A), HarborGuard recommends prioritizing this fix for any image that packages a Bluetooth-capable kernel in the affected version range, particularly images used in embedded, IoT, or desktop workloads where Bluetooth UART hardware may be present.

See how HarborGuard automates this

Fix available

0192cb0f1ca706d9a1bc36ae0ad5f666d1e4fd8944.154.205.55.95.105.10.2585.15.2096.1.1756.6.1426.12.926.18.347.0.117.1-rc57338031946bd06f6dff149e67b60c4cd083bfea878aad93e938f013d9272fe0ee168f27883afa95c81c7a3c22a0f2808cf4ae0b4908f59763b23606d9d20d48be2c4a071fb015eb09bda2cecd25daf34c1bb9336ae6b54a5f6a353c4bd4ed9a4307e429bc85cff648a2bc92322912db5f1727ad05afae7b6e2d19969c8d9198ecc3090bcd5312ecd503a3339

Affected packages

Linux / Linux
< 78aad93e938f013d9272fe0ee168f27883afa95c (from 3b799254cf6f481460719023d7a18f46651e5e7f) · < e2d19969c8d9198ecc3090bcd5312ecd503a3339 (from 3b799254cf6f481460719023d7a18f46651e5e7f) · < c85cff648a2bc92322912db5f1727ad05afae7b6 (from 3b799254cf6f481460719023d7a18f46651e5e7f) · < 9d20d48be2c4a071fb015eb09bda2cecd25daf34 (from 3b799254cf6f481460719023d7a18f46651e5e7f) · < 81c7a3c22a0f2808cf4ae0b4908f59763b23606d (from 3b799254cf6f481460719023d7a18f46651e5e7f) · < 192cb0f1ca706d9a1bc36ae0ad5f666d1e4fd894 (from 3b799254cf6f481460719023d7a18f46651e5e7f)
Linux / Linux
5.10
Fixed in 0, 5.10.258, 5.15.209, 6.1.175, 6.6.142, 6.12.92, 6.18.34, 7.0.11, 7.1-rc5

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available