CVE-2026-31408
Published: Apr 6, 2026
Modified: May 11, 2026
CVSS v3.1
8.8
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - < d57384e27d1ebf0047e3f00a6e1181b8be9857a2affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - < b0a7da0e3f7442545f071499beb36374714bb9deaffected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - < 45aaca995e4a7a05b272a58e7ab2fff4f611b8f1affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - < 108b81514d8f2535eb16651495cefb2250528db3affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - < 7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e+2 more versions |
Linux | Linux | affected 2.6.12unaffected 0 - < 2.6.12unaffected 5.15.203 - <= 5.15.*unaffected 6.1.168 - <= 6.1.*unaffected 6.6.131 - <= 6.6.*+4 more versions |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now