CVE-2026-31408

HIGH EPSS 21.7%
Published Apr 6, 20262mo ago · Modified Jun 17, 20262w ago
8.8 CVSS 3.1
High
Find Similar
Published Apr 6, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Adjacent
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
21.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 16

VendorProductVersionRange
linuxlinux_kernel*≥2.6.12.1  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.168
linuxlinux_kernel*≥6.2  –  <6.6.131
linuxlinux_kernel*≥6.7  –  <6.12.80
linuxlinux_kernel*≥6.13  –  <6.18.21
linuxlinux_kernel*≥6.19  –  <6.19.11
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/108b81514d8f2535eb16651495cefb2250528db3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/45aaca995e4a7a05b272a58e7ab2fff4f611b8f1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/598dbba9919c5e36c54fe1709b557d64120cb94b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b0a7da0e3f7442545f071499beb36374714bb9de
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d57384e27d1ebf0047e3f00a6e1181b8be9857a2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e76e8f0581ef555eacc11dbb095e602fb30a5361
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/108b81514d8f2535eb16651495cefb2250528db3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/45aaca995e4a7a05b272a58e7ab2fff4f611b8f1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/598dbba9919c5e36c54fe1709b557d64120cb94b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b0a7da0e3f7442545f071499beb36374714bb9de
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d57384e27d1ebf0047e3f00a6e1181b8be9857a2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e76e8f0581ef555eacc11dbb095e602fb30a5361
    Patch