Data Race in Bluetooth Functionality of Linux Kernel
CVE-2026-43119

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-43119?

A data race vulnerability has been identified in the Bluetooth subsystem of the Linux Kernel, specifically related to the handling of the 'hdev->req_status' variable. The issue arises in the context where multiple functions access 'hdev->req_status' concurrently without proper locking mechanisms, which can lead to unpredictable behavior during Bluetooth command processing. The vulnerability allows different operations to occur on disjoint workqueues, causing inconsistent states that may affect system reliability and security. To mitigate this risk, annotations such as READ_ONCE() and WRITE_ONCE() have been implemented to ensure safer concurrent access to the shared variable, thereby enhancing the stability of Bluetooth functionalities.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 6e539907c0d11f514c5e0b049b27b04dff48a5b1

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 40734ce8efc34c4a0d0222855798c0dc14b65f2e

References

https://git.kernel.org/stable/c/6e539907c0d11f514c5e0b049...

https://git.kernel.org/stable/c/a7a1cdb4a64ca74eb95cc4664...

https://git.kernel.org/stable/c/40734ce8efc34c4a0d0222855...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-43119 Data

JSON