CVE-2026-23146: Linux Kernel Race Condition Vulnerability

CVE-2026-23146 Overview

CVE-2026-23146 is a NULL pointer dereference vulnerability in the Linux kernel's Bluetooth HCI UART subsystem. The flaw resides in hci_uart_write_work() and stems from a race condition during protocol initialization. An attacker with local access can trigger the race by inducing a TTY write wakeup while hci_uart_register_dev() is still executing, causing the kernel to access an uninitialized hu->priv pointer. The result is a kernel crash and denial of service on the affected host. The issue affects Linux kernel 6.19 release candidates and earlier versions referenced in the upstream stable tree fix commits.

Critical Impact
Local users can trigger a kernel NULL pointer dereference in the Bluetooth HCI UART driver, leading to a system crash and full availability loss [CWE-476].

Affected Products

Linux kernel 6.19-rc1 through 6.19-rc7
Linux kernel stable branches prior to the patched commits
Distributions shipping vulnerable Bluetooth hci_uart driver builds

Discovery Timeline

2026-02-14 - CVE-2026-23146 published to NVD
2026-03-17 - Last updated in NVD database

Technical Details for CVE-2026-23146

Vulnerability Analysis

The vulnerability lives in the Linux Bluetooth HCI UART transport driver, which bridges Bluetooth controllers connected over serial lines to the kernel's HCI layer. The function hci_uart_set_proto() sets the HCI_UART_PROTO_INIT flag before calling hci_uart_register_dev(), which in turn invokes proto->open() to allocate and initialize protocol private state in hu->priv.

Because HCI_UART_PROTO_INIT is set early, any TTY write wakeup arriving during this initialization window is treated as valid. The wakeup path calls hci_uart_tx_wakeup(), which schedules write_work on the kernel workqueue. When that work runs, hci_uart_write_work() calls proto->dequeue(hu), which dereferences the still-NULL hu->priv. The resulting kernel oops produces an immediate denial of service.

Root Cause

The root cause is an ordering bug between flag publication and pointer initialization [CWE-476]. The HCI_UART_PROTO_INIT bit signals readiness before the protocol private data exists, allowing concurrent code paths to act on a partially constructed object. The upstream fix moves set_bit(HCI_UART_PROTO_INIT) to execute only after proto->open() returns successfully, ensuring hu->priv is fully initialized before any scheduled work observes the ready state.

Attack Vector

Exploitation requires local access and the ability to interact with a TTY device attached to the Bluetooth HCI UART subsystem. A local user with permission to invoke the HCIUARTSETPROTO ioctl on a /dev/tty* device can race protocol attachment against TTY write wakeups. No user interaction or network access is required. The vulnerability does not yield code execution or information disclosure, but it reliably crashes the kernel when the race window is hit.

No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2026-23146

Indicators of Compromise

Kernel oops or panic messages referencing hci_uart_write_work, hci_uart_dequeue, or a NULL pointer dereference in the Bluetooth subsystem
Unexpected reboots or kernel: BUG: unable to handle kernel NULL pointer dereference entries in /var/log/messages or journalctl -k
Repeated HCIUARTSETPROTO ioctl invocations from non-administrative user contexts

Detection Strategies

Monitor kernel ring buffer output via dmesg and centralized log collection for crash signatures involving hci_uart_* symbols
Audit auditd records for ioctl calls against TTY devices with the HCIUARTSETPROTO request code originating from unprivileged users
Track kernel version inventory against the patched commit hashes published on the upstream stable tree

Monitoring Recommendations

Forward /var/log/kern.log and systemd journal kernel facility entries to a centralized SIEM for crash pattern correlation
Alert on unexpected workqueue stack traces containing hci_uart_tx_wakeup followed by NULL dereference faults
Inventory hosts that load the hci_uart module using lsmod checks and prioritize patching for systems with attached Bluetooth UART hardware

How to Mitigate CVE-2026-23146

Immediate Actions Required

Apply the upstream Linux kernel patches referenced in the kernel.org stable commits for your kernel branch
Restrict local shell and TTY access on multi-user systems to trusted accounts only
Unload the hci_uart module on systems that do not require Bluetooth serial transport using modprobe -r hci_uart

Patch Information

The fix reorders the HCI_UART_PROTO_INIT flag assignment to occur only after proto->open() completes successfully. Patched commits are available across stable branches, including 03e8c90c6223, 0c3cd7a0b862, 186d147cf768, 53e54cb31e66, 937a573423ce, b0a900939e7e, and ccc683f597ce. Distribution vendors will incorporate these fixes into their next kernel security updates.

Workarounds

Blacklist the hci_uart kernel module on systems that do not use Bluetooth serial controllers by adding blacklist hci_uart to /etc/modprobe.d/blacklist.conf
Limit TTY device permissions so that only privileged users can open Bluetooth UART devices and issue HCIUARTSETPROTO ioctls
Disable Bluetooth services such as bluetooth.service on servers and appliances where the functionality is not required

bash

# Configuration example
# Prevent the vulnerable module from loading
echo 'blacklist hci_uart' | sudo tee /etc/modprobe.d/disable-hci_uart.conf
sudo modprobe -r hci_uart

# Disable Bluetooth stack entirely on hosts that do not need it
sudo systemctl disable --now bluetooth.service