{"id":"CVE-2026-31500","summary":"Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock\n\nbtintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET\nand Intel exception-info retrieval) without holding\nhci_req_sync_lock().  This lets it race against\nhci_dev_do_close() -\u003e btintel_shutdown_combined(), which also runs\n__hci_cmd_sync() under the same lock.  When both paths manipulate\nhdev-\u003ereq_status/req_rsp concurrently, the close path may free the\nresponse skb first, and the still-running hw_error path hits a\nslab-use-after-free in kfree_skb().\n\nWrap the whole recovery sequence in hci_req_sync_lock/unlock so it\nis serialized with every other synchronous HCI command issuer.\n\nBelow is the data race report and the kasan report:\n\n  BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined\n\n  read of hdev-\u003ereq_rsp at net/bluetooth/hci_sync.c:199\n  by task kworker/u17:1/83:\n   __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200\n   __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223\n   btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254\n   hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030\n\n  write/free by task ioctl/22580:\n   btintel_shutdown_combined+0xd0/0x360\n    drivers/bluetooth/btintel.c:3648\n   hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246\n   hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526\n\n  BUG: KASAN: slab-use-after-free in\n   sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202\n  Read of size 4 at addr ffff888144a738dc\n  by task kworker/u17:1/83:\n   __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200\n   __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223\n   btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260","modified":"2026-07-09T10:14:45.953622366Z","published":"2026-04-22T13:54:21.071Z","related":["SUSE-SU-2026:22433-1","SUSE-SU-2026:22436-1","SUSE-SU-2026:22458-1","SUSE-SU-2026:22460-1","SUSE-SU-2026:2450-1","SUSE-SU-2026:2630-1","SUSE-SU-2026:2631-1","SUSE-SU-2026:2632-1","SUSE-SU-2026:2638-1","SUSE-SU-2026:2658-1","SUSE-SU-2026:2722-1","SUSE-SU-2026:2799-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31500.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/5f84e845648dfa86e42de5487f1a774b42f0444d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/66696648af477dc87859e5e4b607112f5f29d010"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7e041d0aad1d4d43d921ace052e04f4e2cacaed3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/94d8e6fe5d0818e9300e514e095a200bd5ff93ae"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e10a4cb72468686ffbe8bb2b0520e37f6be1a0c5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f7d84737663ad4a120d2d8ef1561a4df91282c2e"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31500.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31500"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"973bb97e5aee56edddaae3d5c96877101ad509c0"},{"fixed":"7e041d0aad1d4d43d921ace052e04f4e2cacaed3"},{"fixed":"5f84e845648dfa86e42de5487f1a774b42f0444d"},{"fixed":"e10a4cb72468686ffbe8bb2b0520e37f6be1a0c5"},{"fixed":"66696648af477dc87859e5e4b607112f5f29d010"},{"fixed":"f7d84737663ad4a120d2d8ef1561a4df91282c2e"},{"fixed":"94d8e6fe5d0818e9300e514e095a200bd5ff93ae"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31500.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.3.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.131"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.80"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.21"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31500.json"}}],"schema_version":"1.7.5"}