CVE-2026-31500 Overview
CVE-2026-31500 is a use-after-free vulnerability [CWE-416] in the Linux kernel's Bluetooth subsystem, specifically in the Intel Bluetooth driver (btintel). The flaw exists in btintel_hw_error(), which issues two __hci_cmd_sync() calls without holding hci_req_sync_lock(). This creates a race condition with hci_dev_do_close() calling btintel_shutdown_combined(), which manipulates hdev->req_status and hdev->req_rsp under the same lock. The close path can free the response skb while the hardware-error recovery path still references it, triggering a slab-use-after-free in kfree_skb().
Critical Impact
A local attacker with low privileges can trigger concurrent execution paths in the Bluetooth stack to cause memory corruption, potentially leading to kernel privilege escalation or denial of service.
Affected Products
- Linux kernel mainline through 7.0-rc7
- Linux kernel 4.3 and later stable branches with btintel driver
- Distributions shipping Intel Bluetooth hardware support via btintel
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-31500 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-31500
Vulnerability Analysis
The vulnerability resides in drivers/bluetooth/btintel.c within the btintel_hw_error() function. This function executes during Bluetooth controller error recovery and issues two synchronous Host Controller Interface (HCI) commands: HCI_OP_RESET and an Intel-specific exception-info retrieval. These calls go through __hci_cmd_sync() at net/bluetooth/hci_sync.c:223, which manipulates hdev->req_status and hdev->req_rsp to track command completion.
The error-recovery path runs without holding hci_req_sync_lock. Concurrently, hci_dev_do_close() invokes btintel_shutdown_combined() at drivers/bluetooth/btintel.c:3648, which also calls __hci_cmd_sync() but under the proper lock. When both paths run simultaneously, the close path frees the response socket buffer first. The still-executing btintel_hw_error() then dereferences the freed skb in kfree_skb(), producing the slab-use-after-free reported by KASAN at net/core/skbuff.c:1202.
Root Cause
The root cause is missing synchronization. The btintel_hw_error() recovery sequence shares state (hdev->req_status, hdev->req_rsp) with every other synchronous HCI command issuer but does not acquire hci_req_sync_lock to serialize access. This violates the locking contract required by __hci_cmd_sync_sk().
Attack Vector
Exploitation requires local access with low privileges on a system using Intel Bluetooth hardware. An attacker triggers controller error conditions while concurrently invoking ioctl operations that drive hci_dev_do_close(). Reliable triggering depends on race-window timing between hci_error_reset() and hci_dev_close_sync(). Successful exploitation produces a use-after-free in kernel slab memory, which can be steered toward arbitrary kernel memory corruption.
No public proof-of-concept exploit is available for CVE-2026-31500. The KASAN report in the upstream commit provides the full call trace from __hci_cmd_sync_sk+0x12f2/0x1c30 through btintel_hw_error+0x186/0x670 and hci_error_reset+0x348/0xa30. See the kernel commit f7d84737 for the fix and full technical context.
Detection Methods for CVE-2026-31500
Indicators of Compromise
- KASAN reports referencing slab-use-after-free in sk_skb_reason_drop or kfree_skb with call traces through btintel_hw_error and __hci_cmd_sync_sk.
- Unexpected kernel oops or panics during Bluetooth controller reset or shutdown sequences on systems with Intel Bluetooth adapters.
- Data-race warnings from KCSAN naming __hci_cmd_sync_sk and btintel_shutdown_combined on hdev->req_rsp.
Detection Strategies
- Audit installed kernel versions against the patched commits to identify unpatched hosts running vulnerable btintel code.
- Enable KASAN and KCSAN on test kernels to surface the race and use-after-free during fuzzing of Bluetooth ioctl interfaces.
- Monitor dmesg and journald for Bluetooth subsystem errors correlated with HCI reset events.
Monitoring Recommendations
- Track Bluetooth driver crash signatures via centralized log aggregation, focusing on btintel and hci_sync symbols.
- Alert on repeated hci_error_reset events on the same device, which may indicate attempted race exploitation.
- Correlate local user ioctl activity against /dev/rfkill and Bluetooth HCI sockets with subsequent kernel error events.
How to Mitigate CVE-2026-31500
Immediate Actions Required
- Apply the upstream patch that wraps the recovery sequence in hci_req_sync_lock/unlock, as merged in kernel commit f7d84737.
- Update to a distribution kernel that includes the stable backports listed in the vendor advisories.
- On systems where Bluetooth is not required, disable the btintel and bluetooth modules to remove the attack surface.
Patch Information
The fix serializes btintel_hw_error() with every other synchronous HCI command issuer by acquiring hci_req_sync_lock for the entire recovery sequence. Stable backports are available across multiple branches:
- Kernel Commit 5f84e84
- Kernel Commit 66696648
- Kernel Commit 94d8e6fe
- Kernel Commit e10a4cbc
- Kernel Commit f7d84737
Workarounds
- Blacklist the btintel kernel module on systems that do not require Intel Bluetooth functionality.
- Restrict access to Bluetooth HCI sockets and related ioctl interfaces to trusted local users only.
- Disable Bluetooth at the firmware or BIOS level on servers and fixed-function appliances.
# Configuration example: blacklist btintel until kernel is patched
echo 'blacklist btintel' | sudo tee /etc/modprobe.d/blacklist-btintel.conf
echo 'blacklist btusb' | sudo tee -a /etc/modprobe.d/blacklist-btintel.conf
sudo rmmod btintel btusb 2>/dev/null
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
