2492447 – (CVE-2026-53073) CVE-2026-53073 kernel: Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error

Bug 2492447 (CVE-2026-53073) - CVE-2026-53073 kernel: Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error

Summary: CVE-2026-53073 kernel: Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error

Keywords:
Status:	NEW
Alias:	CVE-2026-53073
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-24 18:12 UTC by OSIDB Bzimport
Modified:	2026-06-25 16:07 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-24 18:12:34 UTC

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error

When hci_register_dev() fails in hci_uart_register_dev()
HCI_UART_PROTO_INIT is not cleared before calling hu->proto->close(hu)
and setting hu->hdev to NULL. This means incoming UART data will reach
the protocol-specific recv handler in hci_uart_tty_receive() after
resources are freed.

Clear HCI_UART_PROTO_INIT with a write lock before calling
hu->proto->close() and setting hu->hdev to NULL. The write lock ensures
all active readers have completed and no new reader can enter the
protocol recv path before resources are freed.

This allows the protocol-specific recv functions to remove the
"HCI_UART_REGISTERED" guard without risking a null pointer dereference
if hci_register_dev() fails.

Comment 1 Mauro Matteo Cascella 2026-06-25 09:02:12 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062405-CVE-2026-53073-9692@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.