CVE-2023-54120
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix race condition in hidp_session_thread
There is a potential race condition in hidp_session_thread that may lead to use-after-free. For instance, the timer is active while hidp_del_timer is called in hidp_session_thread(). After hidp_session_put, then 'session' will be freed, causing kernel panic when hidp_idle_timeout is running.
The solution is to use del_timer_sync instead of del_timer.
Here is the call trace:
? hidp_session_probe+0x780/0x780 call_timer_fn+0x2d/0x1e0 __run_timers.part.0+0x569/0x940 hidp_session_probe+0x780/0x780 call_timer_fn+0x1e0/0x1e0 ktime_get+0x5c/0xf0 lapic_next_deadline+0x2c/0x40 clockevents_program_event+0x205/0x320 run_timer_softirq+0xa9/0x1b0 __do_softirq+0x1b9/0x641 __irq_exit_rcu+0xdc/0x190 irq_exit_rcu+0xe/0x20 sysvec_apic_timer_interrupt+0xa1/0xc0
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel's Bluetooth HIDP session thread can cause use-after-free, leading to a kernel panic.
Vulnerability
CVE-2023-54120 is a race condition vulnerability in the Linux kernel's Bluetooth Human Interface Device Protocol (HIDP) implementation. The issue is a race condition in the hidp_session_thread function. Specifically, the timer used for idle timeout handling remains active while hidp_del_timer is called. If hidp_session_put is invoked before the timer is safely removed, the session structure can be freed while the timer callback (`hidp_idle_timeout is still running, leading to a use-after-free condition [1][2][3].
Exploitation
To exploit this vulnerability, an attacker would need to trigger the race condition between the timer expiration and session cleanup in a specific order. This requires local access to the system and the ability to interact with Bluetooth HIDP devices. The attack surface is limited to systems where Bluetooth HIDP is enabled and in use. No authentication is needed beyond local user access to trigger the relevant code paths [1][2][3].
Impact
Successful exploitation results in a kernel panic, causing a denial of service (DoS). The use-after-free can corrupt kernel memory, potentially leading to system crash or instability. There is no indication of privilege escalation or remote code execution from the available sources [1][2][3].
Mitigation
The fix replaces del_timer with del_timer_sync in the hidp_session_thread function, ensuring the timer is fully deactivated before the session is freed. This patch has been applied to the stable kernel branches as referenced in the commit history [1][2][3]. Users should update their Linux kernel to a version containing this fix.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
8152f47bd6b995f3d214d19898a99e6200c38f7ec5ca433ce0efb276d5848f6719fd8f409248af9feca06c95930abd687Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/0efb276d5848a3accc37c6f41b85e442c4768169nvd
- git.kernel.org/stable/c/152f47bd6b995e0e98c85672f6d19894bc287ef2nvd
- git.kernel.org/stable/c/248af9feca062a4ca9c3f2ccf67056c8a5eb817fnvd
- git.kernel.org/stable/c/5f3d214d19899183d4e0cce7552998262112e4abnvd
- git.kernel.org/stable/c/8a99e6200c38b78a45dcd12a6bdc43fdf4dc36benvd
- git.kernel.org/stable/c/c95930abd687fcd1aa040dc4fe90dff947916460nvd
- git.kernel.org/stable/c/f6719fd8f409fa1da8dc956e93822d25e1e8b360nvd
- git.kernel.org/stable/c/f7ec5ca433ceead8d9d78fd2febff094f289441dnvd
News mentions
0No linked articles in our index yet.