Skip to main content

Linux Kernel CVE-2026-31408

| EUVDEUVD-2026-19196 HIGH
Use After Free (CWE-416)
2026-04-06 Linux GHSA-82h6-xw4j-pq2m
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 27, 2026 - 14:23 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
8.8 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
108b81514d8f2535eb16651495cefb2250528db3,45aaca995e4a7a05b272a58e7ab2fff4f611b8f1,7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e
EUVD ID Assigned
Apr 06, 2026 - 08:15 euvd
EUVD-2026-19196
CVE Published
Apr 06, 2026 - 07:38 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold

sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free.

Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock.

Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths.

AnalysisAI

Use-after-free in Linux kernel Bluetooth SCO subsystem allows adjacent network attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability exists in sco_recv_frame() which releases a lock on conn->sk without holding a socket reference, creating a race condition where concurrent close() operations can free the socket before subsequent access. Vendor patches available across multiple stable kernel versions (6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0-rc6). EPSS score of 0.01% suggests minimal observed exploitation probability despite high CVSS 8.8 rating. No CISA KEV listing or public exploit identified at time of analysis.

Technical ContextAI

This is a use-after-free vulnerability in the Linux kernel's Bluetooth Synchronous Connection-Oriented (SCO) protocol implementation, specifically in net/bluetooth/sco.c. The flaw stems from improper socket lifecycle management using a classic time-of-check-time-of-use (TOCTOU) race condition. The vulnerable function sco_recv_frame() acquires sco_conn_lock() to safely read conn->sk, but immediately releases the lock without incrementing the socket's reference counter via sco_sock_hold(). Between lock release and subsequent sk->sk_state access, a concurrent thread executing close() can decrement the reference count to zero and free the socket structure. When sco_recv_frame() then dereferences the freed memory, it triggers use-after-free with potential for memory corruption. Other functions in the same subsystem (sco_sock_timeout, sco_conn_del) demonstrate the correct pattern of calling sco_sock_hold() under lock protection followed by sock_put() on exit paths. The vulnerability exists since the initial git import (commit 1da177e4c3f4) dating back to Linux 2.6.12, affecting all subsequent versions until patched.

RemediationAI

Upgrade to patched Linux kernel versions: 6.6.131 or later for 6.6.x series (commit e76e8f0581ef), 6.12.80+ for 6.12.x (commit 598dbba9919c), 6.18.21+ for 6.18.x (commit 7197462e90b8), 6.19.11+ for 6.19.x (commit 45aaca995e4a), or 7.0-rc6+ for mainline (commit 108b81514d8f). Official patches available at https://git.kernel.org/stable/. For systems unable to immediately patch, implement compensating controls: disable Bluetooth subsystem entirely via kernel boot parameter 'bluetooth.disable=1' or blacklist btusb/bluetooth kernel modules (eliminates attack vector but breaks Bluetooth functionality); restrict Bluetooth to trusted devices only via allowlisting in /etc/bluetooth/main.conf (reduces but does not eliminate risk); deploy network segmentation to isolate Bluetooth-enabled systems from untrusted physical spaces (adds defense-in-depth). Note that disabling SCO protocol specifically while maintaining other Bluetooth profiles may not be feasible without kernel recompilation. Monitor for unusual Bluetooth connection attempts in kernel logs (dmesg, journalctl filtering for 'bluetooth' and 'sco'). Compensating controls trade operational Bluetooth capability for security and should be temporary pending patching.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31408 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy