CVE-2026-31500

Source
https://cve.org/CVERecord?id=CVE-2026-31500
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31500.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31500
Downstream
Related
Published
2026-04-22T13:54:21.071Z
Modified
2026-07-09T10:14:45.953622366Z
Summary
Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btintel: serialize btintelhwerror() with hcireqsync_lock

btintelhwerror() issues two __hcicmdsync() calls (HCIOPRESET and Intel exception-info retrieval) without holding hcireqsynclock(). This lets it race against hcidevdoclose() -> btintelshutdowncombined(), which also runs __hcicmdsync() under the same lock. When both paths manipulate hdev->reqstatus/reqrsp concurrently, the close path may free the response skb first, and the still-running hwerror path hits a slab-use-after-free in kfreeskb().

Wrap the whole recovery sequence in hcireqsync_lock/unlock so it is serialized with every other synchronous HCI command issuer.

Below is the data race report and the kasan report:

BUG: data-race in _hcicmdsyncsk / btintelshutdowncombined

read of hdev->reqrsp at net/bluetooth/hcisync.c:199 by task kworker/u17:1/83: __hcicmdsyncsk+0x12f2/0x1c30 net/bluetooth/hcisync.c:200 __hcicmdsync+0x55/0x80 net/bluetooth/hcisync.c:223 btintelhwerror+0x114/0x670 drivers/bluetooth/btintel.c:254 hcierrorreset+0x348/0xa30 net/bluetooth/hcicore.c:1030

write/free by task ioctl/22580: btintelshutdowncombined+0xd0/0x360 drivers/bluetooth/btintel.c:3648 hcidevclosesync+0x9ae/0x2c10 net/bluetooth/hcisync.c:5246 hcidevdoclose+0x232/0x460 net/bluetooth/hcicore.c:526

BUG: KASAN: slab-use-after-free in skskbreason_drop+0x43/0x380 net/core/skbuff.c:1202 Read of size 4 at addr ffff888144a738dc by task kworker/u17:1/83: __hcicmdsyncsk+0x12f2/0x1c30 net/bluetooth/hcisync.c:200 _hcicmdsync+0x55/0x80 net/bluetooth/hcisync.c:223 btintelhwerror+0x186/0x670 drivers/bluetooth/btintel.c:260

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31500.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
973bb97e5aee56edddaae3d5c96877101ad509c0
Fixed
7e041d0aad1d4d43d921ace052e04f4e2cacaed3
Fixed
5f84e845648dfa86e42de5487f1a774b42f0444d
Fixed
e10a4cb72468686ffbe8bb2b0520e37f6be1a0c5
Fixed
66696648af477dc87859e5e4b607112f5f29d010
Fixed
f7d84737663ad4a120d2d8ef1561a4df91282c2e
Fixed
94d8e6fe5d0818e9300e514e095a200bd5ff93ae

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31500.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.3.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.131
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.80
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.21
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31500.json"