CVE-2024-58238 in Linux
Summary
by MITRE • 08/09/2025
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test
This fixes the tx timeout issue seen while running a stress test on btnxpuart for couple of hours, such that the interval between two HCI commands coincide with the power save timeout value of 2 seconds.
Test procedure using bash script: <load btnxpuart.ko> hciconfig hci0 up //Enable Power Save feature hcitool -i hci0 cmd 3f 23 02 00 00 while (true) do hciconfig hci0 leadv sleep 2 hciconfig hci0 noleadv sleep 2 done
Error log, after adding few more debug prints: Bluetooth: btnxpuart_queue_skb(): 01 0A 20 01 00 Bluetooth: hci0: Set UART break: on, status=0 Bluetooth: hci0: btnxpuart_tx_wakeup() tx_work scheduled Bluetooth: hci0: btnxpuart_tx_work() dequeue: 01 0A 20 01 00 Can't set advertise mode on hci0: Connection timed out (110) Bluetooth: hci0: command 0x200a tx timeout
When the power save mechanism turns on UART break, and btnxpuart_tx_work() is scheduled simultaneously, psdata->ps_state is read as PS_STATE_AWAKE, which prevents the psdata->work from being scheduled, which is responsible to turn OFF UART break.
This issue is fixed by adding a ps_lock mutex around UART break on/off as well as around ps_state read/write. btnxpuart_tx_wakeup() will now read updated ps_state value. If ps_state is PS_STATE_SLEEP, it will first schedule psdata->work, and then it will reschedule itself once UART break has been turned off and ps_state is PS_STATE_AWAKE.
Tested above script for 50,000 iterations and TX timeout error was not observed anymore.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/30/2026
The vulnerability identified as CVE-2024-58238 affects the Linux kernel's Bluetooth subsystem, specifically within the btnxpuart driver responsible for handling UART-based Bluetooth communication. This issue manifests as a transmission timeout error that occurs during extended power save stress testing scenarios, where the interval between consecutive HCI commands aligns with the driver's power save timeout value of two seconds. The root cause lies in a race condition between the power save state management and UART break operations, creating a scenario where the driver fails to properly transition between active and sleep states, ultimately leading to communication timeouts that prevent proper Bluetooth advertising mode operations.
The technical flaw stems from insufficient synchronization mechanisms within the btnxpuart driver's power management implementation. When the power save feature is enabled through the HCI command 3f 23 02 00 00, the driver attempts to place the UART interface into a break state to conserve power. However, during concurrent operations where btnxpuart_tx_wakeup() schedules transmission work while the power save mechanism is simultaneously attempting to activate UART break, a race condition occurs. The psdata->ps_state variable, which indicates whether the device is in PS_STATE_AWAKE or PS_STATE_SLEEP, is read without proper locking, causing the system to incorrectly assume the device is awake when it should be asleep, thereby preventing the proper scheduling of work to turn off the UART break condition.
This vulnerability directly maps to CWE-362, which describes a race condition in concurrent programming where two or more threads or processes access shared data concurrently, and at least one of the accesses is a write operation. The issue also aligns with ATT&CK technique T1547.001, which covers registry run keys and startup folder modifications, as the underlying race condition affects system-level power management operations that could potentially impact broader system stability. The problem manifests as a communication timeout error that prevents Bluetooth advertising functionality from working properly, with error messages indicating "Can't set advertise mode on hci0: Connection timed out (110)" and "command 0x200a tx timeout" appearing in kernel logs.
The operational impact of this vulnerability is significant for devices relying on Bluetooth low energy operations and power management features, particularly in embedded systems or IoT devices where extended Bluetooth connectivity is required. The fix implemented involves adding a ps_lock mutex to synchronize access to UART break on/off operations and the ps_state variable reads/writes, ensuring that power state transitions occur atomically. This modification requires btnxpuart_tx_wakeup() to first check if ps_state is PS_STATE_SLEEP, schedule the psdata->work to turn off the UART break, and then reschedule itself once the UART break has been properly disabled and the ps_state has been updated to PS_STATE_AWAKE. The solution was validated through extensive testing with 50,000 iterations of the stress test script, confirming that the transmission timeout errors no longer occur. This fix demonstrates the importance of proper synchronization in kernel-level device drivers where concurrent access to shared resources can lead to critical communication failures and system instability.