Use-After-Free Vulnerability in Linux Kernel Bluetooth Component
CVE-2026-31408

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-31408?

In the Linux kernel's Bluetooth stack, a vulnerability was identified that involves a use-after-free condition in the sco_recv_frame() function. This occurs because, after acquiring a lock (sco_conn_lock), the function releases it without holding a reference to the socket, leaving room for a concurrent close() operation to free the socket. The oversight leads to a potential use of an invalid memory reference. The resolution involves using sco_sock_hold() to maintain a reference to the socket before the lock release and ensuring to call sock_put() on all exit paths to avoid similar issues in the future.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 45aaca995e4a7a05b272a58e7ab2fff4f611b8f1

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 108b81514d8f2535eb16651495cefb2250528db3

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e

References

https://git.kernel.org/stable/c/45aaca995e4a7a05b272a58e7...

https://git.kernel.org/stable/c/108b81514d8f2535eb1665149...

https://git.kernel.org/stable/c/7197462e90b8ce15caa1ae15d...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31408 Data

JSON