VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2022-50833

CVE-2022-50833

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works

syzbot is reporting attempt to schedule hdev->cmd_work work from system_wq WQ into hdev->workqueue WQ which is under draining operation [1], for commit c8efcc2589464ac7 ("workqueue: allow chained queueing during destruction") does not allow such operation.

The check introduced by commit 877afadad2dce8aa ("Bluetooth: When HCI work queue is drained, only queue chained work") was incomplete.

Use hdev->workqueue WQ when queuing hdev->{cmd,ncmd}_timer works because hci_{cmd,ncmd}_timeout() calls queue_work(hdev->workqueue). Also, protect the queuing operation with RCU read lock in order to avoid calling queue_delayed_work() after cancel_delayed_work() completed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A Bluetooth flaw in the Linux kernel allows workqueue scheduling during destruction, potentially leading to system instability.

The vulnerability is a workqueue usage issue in the Linux kernel's Bluetooth subsystem, specifically during device destruction. The function queueing of hdev->{cmd,ncmd}_timer works incorrectly used system_wq instead of the device-specific hdev->workqueue. When the system workqueue is drained during destruction, this can cause attempts to schedule work into a draining queue, violating workqueue draining rules introduced in commit c8efcc2589464ac7. The earlier fix (commit 877afadad2dce8aa) was incomplete [1].

The attack surface is local, requiring access to a Bluetooth device on the system. Exploitation would involve triggering a Bluetooth device removal or error path that leads to the problematic work queue scheduling. No authentication is needed beyond the ability to interact with Bluetooth subsystem (e.g., through hci_sock or sysfs). The bug is reachable when the Bluetooth device is being torn down and timers fire.

An attacker who can cause a Bluetooth device to be unregistered or experience an error could force the system to attempt queuing work into a draining workqueue. This may lead to a kernel warning, denial of service (system hang or crash), or potentially more severe consequences depending on the workqueue state [1]. The impact is primarily availability, though the exact worst-case is undefined in the source.

The fix, included in Linux kernel stable updates (as of commit deee93d13d3851032055036ecd83261), changes the queueing to use hdev->workqueue and adds RCU read lock protection to avoid races with cancel_delayed_work(). Users should apply kernel patches from their distribution [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

3
c4635cf3d845
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
3c6b036fe5c8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
deee93d13d38
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.