Skip to main content

Linux Kernel EUVDEUVD-2026-24893

| CVE-2026-31511 HIGH
Use After Free (CWE-416)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-q648-4769-6m83
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 28, 2026 - 15:07 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 14:59 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:25 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24893
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete

This fixes the condition checking so mgmt_pending_valid is executed whenever status != -ECANCELED otherwise calling mgmt_pending_free(cmd) would kfree(cmd) without unlinking it from the list first, leaving a dangling pointer. Any subsequent list traversal (e.g., mgmt_pending_foreach during __mgmt_power_off, or another mgmt_pending_valid call) would dereference freed memory.

AnalysisAI

Use-after-free in Linux kernel Bluetooth MGMT subsystem allows local authenticated users to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability stems from improper condition checking in mgmt_add_adv_patterns_monitor_complete(), which can leave dangling pointers after freeing memory without unlinking from the list. Patches available across multiple kernel versions (6.12.80, 6.17, 6.18.21, 6.19.11, 7.0). No evidence of active exploitation (not in CISA KEV), low EPSS score (0.02%, 5th percentile) suggests limited attacker interest despite high CVSS severity.

Technical ContextAI

This is a use-after-free vulnerability in the Linux kernel's Bluetooth Management (MGMT) interface, specifically in the advertisement pattern monitoring functionality. The flaw occurs when mgmt_add_adv_patterns_monitor_complete() incorrectly handles error conditions. When status is not -ECANCELED, the code calls mgmt_pending_free(cmd) which executes kfree(cmd) without first unlinking the command structure from the pending operations list. This creates a dangling pointer that remains in the list pointing to freed heap memory. Subsequent list traversal operations (such as mgmt_pending_foreach during Bluetooth power-off sequences, or other mgmt_pending_valid calls) will dereference this freed memory, triggering a use-after-free condition. This class of vulnerability is particularly dangerous in kernel code as it can lead to arbitrary kernel memory corruption. The fix involves correcting the conditional logic to ensure proper list management before memory deallocation.

RemediationAI

Apply the vendor-released patches immediately through standard kernel update procedures. Patched versions confirmed: Linux 6.12.80, 6.18.21, 6.19.11, and 7.0. Organizations can upgrade to these versions or backport the specific fixes available at git.kernel.org stable tree (commits 340666172cf747de58c283d2eef1f335f050538b, 3a89c33deffb3cb7877a7ea2e50734cd12b064f2, 5f5fa4cd35f707344f65ce9e225b6528691dbbaa, bafec9325d4de26b6c49db75b5d5172de652aae0). If immediate patching is not feasible, consider disabling Bluetooth functionality entirely via kernel boot parameters (bluetooth.disable=1) or blacklisting the Bluetooth kernel modules, though this prevents all Bluetooth operations system-wide. Alternatively, restrict access to the Bluetooth MGMT interface through LSM policies (SELinux/AppArmor) to prevent untrusted local users from accessing Bluetooth management functions, though this is complex to configure correctly and may break legitimate Bluetooth management tools. For containerized environments, ensure Bluetooth capabilities are not granted to containers unless specifically required. Review NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-31511 and upstream kernel.org commits for additional technical guidance.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24893 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy