{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "973bb97e5aee56edddaae3d5c96877101ad509c0"
            },
            {
              "fixed": "7e041d0aad1d4d43d921ace052e04f4e2cacaed3"
            },
            {
              "fixed": "5f84e845648dfa86e42de5487f1a774b42f0444d"
            },
            {
              "fixed": "e10a4cb72468686ffbe8bb2b0520e37f6be1a0c5"
            },
            {
              "fixed": "66696648af477dc87859e5e4b607112f5f29d010"
            },
            {
              "fixed": "f7d84737663ad4a120d2d8ef1561a4df91282c2e"
            },
            {
              "fixed": "94d8e6fe5d0818e9300e514e095a200bd5ff93ae"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.131"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.80"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.21"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31500.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock\n\nbtintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET\nand Intel exception-info retrieval) without holding\nhci_req_sync_lock().  This lets it race against\nhci_dev_do_close() -\u003e btintel_shutdown_combined(), which also runs\n__hci_cmd_sync() under the same lock.  When both paths manipulate\nhdev-\u003ereq_status/req_rsp concurrently, the close path may free the\nresponse skb first, and the still-running hw_error path hits a\nslab-use-after-free in kfree_skb().\n\nWrap the whole recovery sequence in hci_req_sync_lock/unlock so it\nis serialized with every other synchronous HCI command issuer.\n\nBelow is the data race report and the kasan report:\n\n  BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined\n\n  read of hdev-\u003ereq_rsp at net/bluetooth/hci_sync.c:199\n  by task kworker/u17:1/83:\n   __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200\n   __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223\n   btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254\n   hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030\n\n  write/free by task ioctl/22580:\n   btintel_shutdown_combined+0xd0/0x360\n    drivers/bluetooth/btintel.c:3648\n   hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246\n   hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526\n\n  BUG: KASAN: slab-use-after-free in\n   sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202\n  Read of size 4 at addr ffff888144a738dc\n  by task kworker/u17:1/83:\n   __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200\n   __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223\n   btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260",
  "id": "CVE-2026-31500",
  "modified": "2026-07-08T05:37:02.217967583Z",
  "published": "2026-04-22T13:54:21.071Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5f84e845648dfa86e42de5487f1a774b42f0444d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/66696648af477dc87859e5e4b607112f5f29d010"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e041d0aad1d4d43d921ace052e04f4e2cacaed3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/94d8e6fe5d0818e9300e514e095a200bd5ff93ae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e10a4cb72468686ffbe8bb2b0520e37f6be1a0c5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f7d84737663ad4a120d2d8ef1561a4df91282c2e"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31500.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31500"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "summary": "Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock"
}