Bug 2466991 (CVE-2026-43119) - CVE-2026-43119 kernel: Bluetooth: hci_sync: annotate data-races around hdev->req_status
Summary: CVE-2026-43119 kernel: Bluetooth: hci_sync: annotate data-races around hdev->...
Keywords:
Status: NEW
Alias: CVE-2026-43119
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-06 10:02 UTC by OSIDB Bzimport
Modified: 2026-05-06 14:57 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-06 10:02:09 UTC 
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_sync: annotate data-races around hdev->req_status

__hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock:

    hdev->req_status = HCI_REQ_PEND;

However, several other functions read or write hdev->req_status without
holding any lock:

  - hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue)
  - hci_cmd_sync_complete() reads/writes from HCI event completion
  - hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write
  - hci_abort_conn() reads in connection abort path

Since __hci_cmd_sync_sk() runs on hdev->req_workqueue while
hci_send_cmd_sync() runs on hdev->workqueue, these are different
workqueues that can execute concurrently on different CPUs. The plain
C accesses constitute a data race.

Add READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses
to hdev->req_status to prevent potential compiler optimizations that
could affect correctness (e.g., load fusing in the wait_event
condition or store reordering).
Comment 1 Alexander B 2026-05-06 14:57:09 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050627-CVE-2026-43119-d24f@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.