Skip to main content

Linux Kernel EUVDEUVD-2026-27647

| CVE-2026-43119 MEDIUM
2026-05-06 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 00:00 vuln.today
CVSS changed
May 12, 2026 - 21:37 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_sync: annotate data-races around hdev->req_status

__hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock:

hdev->req_status = HCI_REQ_PEND;

However, several other functions read or write hdev->req_status without holding any lock:

  • hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue)
  • hci_cmd_sync_complete() reads/writes from HCI event completion
  • hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write
  • hci_abort_conn() reads in connection abort path

Since __hci_cmd_sync_sk() runs on hdev->req_workqueue while hci_send_cmd_sync() runs on hdev->workqueue, these are different workqueues that can execute concurrently on different CPUs. The plain C accesses constitute a data race.

Add READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses to hdev->req_status to prevent potential compiler optimizations that could affect correctness (e.g., load fusing in the wait_event condition or store reordering).

AnalysisAI

Data race conditions in the Linux kernel Bluetooth subsystem allow local authenticated attackers to cause denial of service by triggering concurrent access to hdev->req_status without proper synchronization. The vulnerability exists in the HCI synchronous command processing path where __hci_cmd_sync_sk() and multiple other functions access the same variable across different workqueues without holding locks, potentially causing memory corruption or system hangs.

Technical ContextAI

The Linux kernel's Bluetooth HCI (Host Controller Interface) layer implements synchronous command execution through hdev->req_status, a shared state variable tracking request completion. The vulnerability arises from concurrent access patterns: __hci_cmd_sync_sk() modifies req_status under hdev->req_lock on the hdev->req_workqueue, while hci_send_cmd_sync(), hci_cmd_sync_complete(), hci_cmd_sync_cancel(), and hci_abort_conn() read or write the same variable without synchronization on different execution contexts (workqueue callbacks, HCI event handlers, connection abort paths). These different workqueues can execute concurrently on multi-CPU systems, creating data races where the compiler may optimize away critical loads/stores (load fusing, store reordering) that the kernel logic depends on for correct synchronization semantics. The fix introduces READ_ONCE() and WRITE_ONCE() macros to prevent compiler-level optimizations that could violate the kernel's implied memory ordering guarantees.

RemediationAI

Linux distributions should update the kernel to patched versions: 6.12.83 or later, 6.18.24 or later, 6.19.14 or later, or 7.0 or later. Users unable to immediately apply patches can reduce exposure by disabling Bluetooth subsystem support if not required (load -r bluetooth_core in modprobe configuration) or restricting local user access via PAM/systemd-logind to limit the pool of authenticated attackers capable of triggering the race. Alternatively, isolate Bluetooth devices to dedicated USB buses or disable concurrent Bluetooth operations through udev rules limiting the number of simultaneous HCI commands. These workarounds may impact legitimate Bluetooth functionality and should be evaluated against operational requirements. The preferred remediation is kernel update, as patched stable branches provide backported fixes without other behavioral changes.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27647 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy