Skip to main content

Linux Kernel CVE-2026-31408

| EUVD-2026-19196 HIGH
Use After Free (CWE-416)
2026-04-06 Linux GHSA-82h6-xw4j-pq2m
Information Disclosure Linux Use After Free Memory Corruption
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 27, 2026 - 14:23 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
8.8 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
108b81514d8f2535eb16651495cefb2250528db3,45aaca995e4a7a05b272a58e7ab2fff4f611b8f1,7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e
EUVD ID Assigned
Apr 06, 2026 - 08:15 euvd
EUVD-2026-19196
CVE Published
Apr 06, 2026 - 07:38 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold

sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free.

Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock.

Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths.

AnalysisAI

Use-after-free in Linux kernel Bluetooth SCO subsystem allows adjacent network attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability exists in sco_recv_frame() which releases a lock on conn->sk without holding a socket reference, creating a race condition where concurrent close() operations can free the socket before subsequent access. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify systems running Linux kernels prior to versions 6.6.131, 6.12.80, 6.18.21, 6.19.11, or 7.0-rc6 and document Bluetooth-enabled infrastructure. Within 7 days: Apply vendor-released patches to all affected kernel versions across production and non-production environments; prioritize systems in Bluetooth-enabled networks or with untrusted adjacent network exposure. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-47334 MEDIUM
5.5 May 28

Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect
CVE-2026-47335 MEDIUM
5.5 May 28

Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authentic
CVE-2026-47327 LOW
3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash th
CVE-2026-47337 LOW
3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local
CVE-2026-45844
May 27

In the Linux kernel, the following vulnerability has been resolved: netfilter: arp_tables: fix IEEE1394 ARP payload par

Vendor StatusVendor

Share

CVE-2026-31408 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy