Login Sign Up

CVE-2026-23146

N/A Unknown
Denial of Service

📋 TL;DR

A race condition in the Linux kernel's Bluetooth HCI UART driver allows a NULL pointer dereference when a TTY write wakeup occurs during protocol initialization. This vulnerability affects Linux systems with Bluetooth hardware and the HCI UART driver enabled, potentially causing kernel crashes or denial of service.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Specific affected versions not specified in CVE; check kernel commit history for vulnerable versions before fixes.
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with Bluetooth hardware and HCI UART driver enabled; many embedded/IoT devices use this driver.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, requiring physical or remote reboot.

🟠

Likely Case

System instability or crash when Bluetooth devices are being initialized, requiring reboot to restore functionality.

🟢

If Mitigated

No impact if patched or if Bluetooth HCI UART driver is not in use.

🌐 Internet-Facing: LOW - Requires local access or Bluetooth proximity; not directly exploitable over internet.
🏢 Internal Only: MEDIUM - Local attackers or malicious Bluetooth devices could trigger the condition, causing system instability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires precise timing to trigger race condition during Bluetooth initialization; local access or Bluetooth proximity needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commits: 03e8c90c62233382042b7bd0fa8b8900552fdb62, 0c3cd7a0b862c37acbee6d9502107146cc944398, 186d147cf7689ba1f9b3ddb753ab634a84940cc9, 53e54cb31e667fca05b1808b990eac0807d1dab0, 937a573423ce5a96fdb1fd425dc6b8d8d4ab5779

Vendor Advisory: https://git.kernel.org/stable/c/

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. For distributions: use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable Bluetooth HCI UART driver

all

Prevent driver loading to eliminate vulnerability surface

echo 'blacklist hci_uart' >> /etc/modprobe.d/blacklist.conf
rmmod hci_uart

🧯 If You Can't Patch

  • Disable Bluetooth functionality if not required
  • Implement strict physical access controls to prevent local attackers from triggering the race condition

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if hci_uart module is loaded: lsmod | grep hci_uart

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes fix commits: git log --oneline | grep -E '03e8c90c6223|0c3cd7a0b862|186d147cf768|53e54cb31e66|937a573423ce'

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs mentioning NULL pointer dereference in hci_uart_write_work
  • Bluetooth initialization failures in system logs

Network Indicators:

  • Bluetooth service disruptions
  • Unexpected system reboots

SIEM Query:

source="kernel" AND "NULL pointer dereference" AND "hci_uart"

📊 Metadata

CVE ID: CVE-2026-23146
CVSS v3 Score: N/A (Unknown)
Published: February 14, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON