CVE-2026-23146

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-23146
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23146.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-23146
Downstream
Related
Published
2026-02-14T16:01:16.169Z
Modified
2026-05-07T04:17:44.952684Z
Summary
Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hciuart: fix null-ptr-deref in hciuartwritework

hciuartsetproto() sets HCIUARTPROTOINIT before calling hciuartregisterdev(), which calls proto->open() to initialize hu->priv. However, if a TTY write wakeup occurs during this window, hciuarttxwakeup() may schedule writework before hu->priv is initialized, leading to a NULL pointer dereference in hciuartwritework() when proto->dequeue() accesses hu->priv.

The race condition is:

CPU0 CPU1 ---- ---- hciuartsetproto() setbit(HCIUARTPROTOINIT) hciuartregisterdev() tty write wakeup hciuartttywakeup() hciuarttxwakeup() schedulework(&hu->writework) proto->open(hu) // initializes hu->priv hciuartwritework() hciuart_dequeue() proto->dequeue(hu) // accesses hu->priv (NULL!)

Fix this by moving setbit(HCIUARTPROTOINIT) after proto->open() succeeds, ensuring hu->priv is initialized before any work can be scheduled.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23146.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a40f94f7caa8d3421b64f63ac31bc0f24c890f39
Fixed
b0a900939e7e4866d9b90e9112514b72c451e873
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9e5a0f5777162e503400c70c6ed25fbbe2d38799
Fixed
ccc683f597ceb28deb966427ae948e5ac739a909
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
80f14e9de6a43a0bd8194cad1003a3e6dcbc3984
Fixed
937a573423ce5a96fdb1fd425dc6b8d8d4ab5779
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
02e1bcdfdf769974e7e9fa285e295cd9852e2a38
Fixed
186d147cf7689ba1f9b3ddb753ab634a84940cc9
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
281782d2c6730241e300d630bb9f200d831ede71
Fixed
53e54cb31e667fca05b1808b990eac0807d1dab0
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5df5dafc171b90d0b8d51547a82657cd5a1986c7
Fixed
03e8c90c62233382042b7bd0fa8b8900552fdb62
Fixed
0c3cd7a0b862c37acbee6d9502107146cc944398
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
1dcf08fcff5ca529de6dc0395091f28854f4e54a
Last affected
8e5aff600539e5faea294d9612cca50220e602b8
Last affected
db7509fa110dd9b11134b75894677f30353b2c51

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23146.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.249
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.199
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.162
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.123
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.69
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23146.json"