CVE-2026-31408

HIGH

Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths.

Scores

CVSS v3 8.8
EPSS 0.0030
EPSS Percentile 21.9%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-416
Status published
Products (26)
linux/Kernel 2.6.12 - 5.15.203linux
linux/Kernel 5.16.0 - 6.1.168linux
linux/Kernel 6.13.0 - 6.18.21linux
linux/Kernel 6.19.0 - 6.19.11linux
linux/Kernel 6.2.0 - 6.6.131linux
linux/Kernel 6.7.0 - 6.12.80linux
Linux/Linux < 2.6.12
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 108b81514d8f2535eb16651495cefb2250528db3
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 45aaca995e4a7a05b272a58e7ab2fff4f611b8f1
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 598dbba9919c5e36c54fe1709b557d64120cb94b
... and 16 more
Published Apr 06, 2026
Tracked Since Apr 06, 2026