CVE-2026-31500

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A race condition exists in the Bluetooth component where the btintel hw error() function issues synchronous HCI commands without holding the hci req sync lock lock. This allows it to race against btintel shutdown combined(), which also executes synchronous commands under the same lock. Concurrent manipulation of hdev->req status and hdev->req rsp can lead to a situation where the close path frees the response socket buffer (skb) first, resulting in a slab-use-after-free in kfree skb() when the hardware error path continues execution.

Recommendations Wrap the recovery sequence in hci req sync lock and hci req sync unlock to ensure it is serialized with all other synchronous HCI command issuers.