VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 6, 2026· Updated May 12, 2026

CVE-2026-43119

CVE-2026-43119

Description

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_sync: annotate data-races around hdev->req_status

__hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock:

hdev->req_status = HCI_REQ_PEND;

However, several other functions read or write hdev->req_status without holding any lock:

  • hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue)
  • hci_cmd_sync_complete() reads/writes from HCI event completion
  • hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write
  • hci_abort_conn() reads in connection abort path

Since __hci_cmd_sync_sk() runs on hdev->req_workqueue while hci_send_cmd_sync() runs on hdev->workqueue, these are different workqueues that can execute concurrently on different CPUs. The plain C accesses constitute a data race.

Add READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses to hdev->req_status to prevent potential compiler optimizations that could affect correctness (e.g., load fusing in the wait_event condition or store reordering).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A data race in the Linux kernel's Bluetooth HCI subsystem around the hdev->req_status field can lead to incorrect synchronization behavior, potentially affecting command timing.

Vulnerability

Description

CVE-2026-43119 addresses a data race in the Linux kernel's Bluetooth HCI command synchronization code. The field hdev->req_status is set under the protection of hdev->req_lock in the function __hci_cmd_sync_sk(). However, several other functions access hdev->req_status without holding any lock — including hci_send_cmd_sync() (in the hci_cmd_work workqueue), hci_cmd_sync_complete() (from HCI event completion), hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync(), and hci_abort_conn(). Because __hci_cmd_sync_sk() runs on hdev->req_workqueue and hci_send_cmd_sync() runs on a different workqueue (hdev->workqueue), these contexts can execute concurrently on different CPUs, making the plain C accesses a data race [1][2].

Attack

Vector and Prerequisites

The vulnerability is triggered locally through concurrent Bluetooth HCI command operations. No special privileges beyond the ability to issue Bluetooth commands via the kernel interface are required. An attacker with local access could exploit the race condition by crafting sequences of HCI commands that cause the data race while the workqueues execute in parallel [3].

Impact

A successful exploit of this data race could lead to incorrect synchronization behavior, such as load fusing in wait_event conditions or store reordering. This might cause command completion signals to be missed or delayed, potentially leading to a denial of service (system hang or crash) or subtle misbehavior in Bluetooth operations. The CVSS v3 score of 5.5 (medium) reflects the local access requirement and limited but impactful consequences [4].

Mitigation

The fix adds READ_ONCE()/WRITE_ONCE() annotations to all concurrent accesses of hdev->req_status, preventing compiler optimizations that could corrupt the synchronization protocol. The patch has been applied to the stable Linux kernel branches and is available in commits referenced by the CVE [1][2]. Users should update their kernels to include these patches to eliminate the race condition.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

1