KernelScan.io

HIGH

bluetooth hci_ldisc ProtoInit Deref

CVE-2026-53073

CVSS 7.0 / 10.0 KernelScan AI

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

01

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error When hci_register_dev() fails in hci_uart_register_dev() HCI_UART_PROTO_INIT is not cleared before calling hu->proto->close(hu) and setting hu->hdev to NULL. This means incoming UART data will reach the protocol-specific recv handler in hci_uart_tty_receive() after resources are freed. Clear HCI_UART_PROTO_INIT with a write lock before calling hu->proto->close() and setting hu->hdev to NULL. The write lock ensures all active readers have completed and no new reader can enter the protocol recv path before resources are freed. This allows the protocol-specific recv functions to remove the "HCI_UART_REGISTERED" guard without risking a null pointer dereference if hci_register_dev() fails.

02

Engine v0.3.0

Risk summary

A race condition in the Bluetooth HCI UART line discipline allows incoming UART data to reach a protocol-specific receive handler after resources have been freed when hci_register_dev() fails during initialization. This can result in a NULL pointer dereference or use-after-free, potentially allowing a local attacker with access to a Bluetooth UART device to crash the kernel or escalate privileges. Exploitation requires a specific timing window during device initialization failure.

Affecteddrivers/bluetooth/hci_ldisc.c (Bluetooth HCI UART line discipline)

Vulnerability analysis

The root cause is that when hci_register_dev() fails inside hci_uart_register_dev(), the HCI_UART_PROTO_INIT flag is not cleared before hu->proto->close(hu) is called and hu->hdev is set to NULL. Because HCI_UART_PROTO_INIT remains set, concurrent UART receive activity (hci_uart_tty_receive()) can still enter the protocol-specific recv handler after resources have been freed, leading to NULL pointer dereference or use-after-free on the freed hdev or protocol state. The fix acquires a percpu write lock before clearing HCI_UART_PROTO_INIT, ensuring all active readers have completed and no new reader can enter the recv path before the cleanup proceeds. This is a local race condition requiring a Bluetooth UART device and a specific failure path during initialization, making it High complexity to trigger reliably.

03

BranchFixed inPatch commit
5.105.10.258ebb39b2d8173
5.155.15.209ed4033fb85cc
5.45.53daa5818e473
6.16.1.175356dee1bcac4
6.126.12.91f4b69c35813c
6.136.14194f029a4d7f
6.146.1568d39ea5e0ad
6.186.18.33
6.66.6.141a673cf6c4ac7
7.07.0.10
mainline7.1