CVE-2026-43119

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci sync: annotate data-races around hdev->req status

hci cmd sync sk() sets hdev->req status under hdev->req lock:

hdev->req status = HCI REQ PEND;

However, several other functions read or write hdev->req status without holding any lock:

hci send cmd sync() reads req status in hci cmd work (workqueue)
hci cmd sync complete() reads/writes from HCI event completion
hci cmd sync cancel() / hci cmd sync cancel sync() read/write
hci abort conn() reads in connection abort path

Since hci cmd sync sk() runs on hdev->req workqueue while hci send cmd sync() runs on hdev->workqueue, these are different workqueues that can execute concurrently on different CPUs. The plain C accesses constitute a data race.

Add READ ONCE()/WRITE ONCE() annotations on all concurrent accesses to hdev->req status to prevent potential compiler optimizations that could affect correctness (e.g., load fusing in the wait event condition or store reordering).

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2026-43119

Affected Products

Linux

CVE-2026-43119

Related Identifiers

Affected Products

References · 5