Linux kernel btintel: serialize btintel_hw_error() against use-after-free
CVE-2026-31500 Published on April 22, 2026
Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET
and Intel exception-info retrieval) without holding
hci_req_sync_lock(). This lets it race against
hci_dev_do_close() -> btintel_shutdown_combined(), which also runs
__hci_cmd_sync() under the same lock. When both paths manipulate
hdev->req_status/req_rsp concurrently, the close path may free the
response skb first, and the still-running hw_error path hits a
slab-use-after-free in kfree_skb().
Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it
is serialized with every other synchronous HCI command issuer.
Below is the data race report and the kasan report:
BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined
read of hdev->req_rsp at net/bluetooth/hci_sync.c:199
by task kworker/u17:1/83:
__hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200
__hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223
btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254
hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030
write/free by task ioctl/22580:
btintel_shutdown_combined+0xd0/0x360
drivers/bluetooth/btintel.c:3648
hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246
hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526
BUG: KASAN: slab-use-after-free in
sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202
Read of size 4 at addr ffff888144a738dc
by task kworker/u17:1/83:
__hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200
__hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223
btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260
Products Associated with CVE-2026-31500
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 973bb97e5aee56edddaae3d5c96877101ad509c0 and below 5f84e845648dfa86e42de5487f1a774b42f0444d is affected.
- Version 973bb97e5aee56edddaae3d5c96877101ad509c0 and below e10a4cb72468686ffbe8bb2b0520e37f6be1a0c5 is affected.
- Version 973bb97e5aee56edddaae3d5c96877101ad509c0 and below 66696648af477dc87859e5e4b607112f5f29d010 is affected.
- Version 973bb97e5aee56edddaae3d5c96877101ad509c0 and below f7d84737663ad4a120d2d8ef1561a4df91282c2e is affected.
- Version 973bb97e5aee56edddaae3d5c96877101ad509c0 and below 94d8e6fe5d0818e9300e514e095a200bd5ff93ae is affected.
- Version 4.3 is affected.
- Before 4.3 is unaffected.
- Version 6.6.131, <= 6.6.* is unaffected.
- Version 6.12.80, <= 6.12.* is unaffected.
- Version 6.18.21, <= 6.18.* is unaffected.
- Version 6.19.11, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.