PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46275 Linux CVE debrief

CVE-2026-46275 is a HIGH severity vulnerability in the Linux kernel Bluetooth HCI UART implementation. The vulnerability allows for Use-After-Free (UAF) and Null Pointer Dereference (NPD) conditions due to improper lifecycle management of hci_uart. The primary issue arises from the workqueues (init_ready and write_work) only being flushed/cancelled if the HCI_UART_PROTO_READY flag is set during TTY close. If a hangup occurs before setup completes, hci_uart_tty_close() skips the teardown of these workqueues and proceeds to free the `hu` struct. When the scheduled work executes later, it blindly dereferences the freed `hu` struct.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-14
Advisory published
2026-06-08
Advisory updated
2026-06-14

Who should care

Linux kernel developers and maintainers, Bluetooth HCI UART implementation users

Technical summary

The vulnerability is caused by improper synchronization and lifecycle management of hci_uart. The fixes involve re-ordering hci_uart_tty_close() to clear HCI_UART_PROTO_READY first, followed by a cancel_work_sync(&hu->write_work), relocating hu->proto->close(hu) strictly prior to hci_free_dev(hdev), and moving the hdev->stat.byte_rx increment in hci_uart_tty_receive() inside the proto_lock read-side critical section.

Defensive priority

high

Recommended defensive actions

  • Apply the patches provided by the Linux kernel maintainers to fix the vulnerability.
  • Ensure that the HCI_UART_PROTO_READY flag is set during TTY close to prevent UAF and NPD conditions.
  • Use the official CVE record [cve-org] and NVD detail [nvd] for further information.

Evidence notes

The vulnerability has a CVSS score of 7.8 and is classified as HIGH severity. The CVE record [cve-org] and NVD detail [nvd] provide further information on the vulnerability.

Official resources

CVE-2026-46275 was published on 2026-06-08T16:16:40.863Z and modified on 2026-06-14T06:16:22.753Z.