CVE-2026-31408
HIGHBluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
Title source: cnaDescription
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths.
References (7)
Core 7
Core References
Scores
CVSS v3
8.8
EPSS
0.0030
EPSS Percentile
21.9%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-416
Status
published
Products (26)
linux/Kernel
2.6.12 - 5.15.203linux
linux/Kernel
5.16.0 - 6.1.168linux
linux/Kernel
6.13.0 - 6.18.21linux
linux/Kernel
6.19.0 - 6.19.11linux
linux/Kernel
6.2.0 - 6.6.131linux
linux/Kernel
6.7.0 - 6.12.80linux
Linux/Linux
< 2.6.12
Linux/Linux
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 108b81514d8f2535eb16651495cefb2250528db3
Linux/Linux
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 45aaca995e4a7a05b272a58e7ab2fff4f611b8f1
Linux/Linux
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 598dbba9919c5e36c54fe1709b557d64120cb94b
... and 16 more
Published
Apr 06, 2026
Tracked Since
Apr 06, 2026