{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31500","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.104Z","datePublished":"2026-04-22T13:54:21.071Z","dateUpdated":"2026-05-11T22:09:56.515Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:09:56.515Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock\n\nbtintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET\nand Intel exception-info retrieval) without holding\nhci_req_sync_lock().  This lets it race against\nhci_dev_do_close() -> btintel_shutdown_combined(), which also runs\n__hci_cmd_sync() under the same lock.  When both paths manipulate\nhdev->req_status/req_rsp concurrently, the close path may free the\nresponse skb first, and the still-running hw_error path hits a\nslab-use-after-free in kfree_skb().\n\nWrap the whole recovery sequence in hci_req_sync_lock/unlock so it\nis serialized with every other synchronous HCI command issuer.\n\nBelow is the data race report and the kasan report:\n\n  BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined\n\n  read of hdev->req_rsp at net/bluetooth/hci_sync.c:199\n  by task kworker/u17:1/83:\n   __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200\n   __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223\n   btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254\n   hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030\n\n  write/free by task ioctl/22580:\n   btintel_shutdown_combined+0xd0/0x360\n    drivers/bluetooth/btintel.c:3648\n   hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246\n   hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526\n\n  BUG: KASAN: slab-use-after-free in\n   sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202\n  Read of size 4 at addr ffff888144a738dc\n  by task kworker/u17:1/83:\n   __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200\n   __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223\n   btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/bluetooth/btintel.c"],"versions":[{"version":"973bb97e5aee56edddaae3d5c96877101ad509c0","lessThan":"5f84e845648dfa86e42de5487f1a774b42f0444d","status":"affected","versionType":"git"},{"version":"973bb97e5aee56edddaae3d5c96877101ad509c0","lessThan":"e10a4cb72468686ffbe8bb2b0520e37f6be1a0c5","status":"affected","versionType":"git"},{"version":"973bb97e5aee56edddaae3d5c96877101ad509c0","lessThan":"66696648af477dc87859e5e4b607112f5f29d010","status":"affected","versionType":"git"},{"version":"973bb97e5aee56edddaae3d5c96877101ad509c0","lessThan":"f7d84737663ad4a120d2d8ef1561a4df91282c2e","status":"affected","versionType":"git"},{"version":"973bb97e5aee56edddaae3d5c96877101ad509c0","lessThan":"94d8e6fe5d0818e9300e514e095a200bd5ff93ae","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/bluetooth/btintel.c"],"versions":[{"version":"4.3","status":"affected"},{"version":"0","lessThan":"4.3","status":"unaffected","versionType":"semver"},{"version":"6.6.131","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.80","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.21","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.11","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.6.131"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.12.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.18.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"6.19.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5f84e845648dfa86e42de5487f1a774b42f0444d"},{"url":"https://git.kernel.org/stable/c/e10a4cb72468686ffbe8bb2b0520e37f6be1a0c5"},{"url":"https://git.kernel.org/stable/c/66696648af477dc87859e5e4b607112f5f29d010"},{"url":"https://git.kernel.org/stable/c/f7d84737663ad4a120d2d8ef1561a4df91282c2e"},{"url":"https://git.kernel.org/stable/c/94d8e6fe5d0818e9300e514e095a200bd5ff93ae"}],"title":"Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock","x_generator":{"engine":"bippy-1.2.0"}}}}