HIGHCVE-2026-31408Published Modified CNA Linux
CVE-2026-31408: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
Fix available
0108b81514d8f2535eb16651495cefb2250528db345aaca995e4a7a05b272a58e7ab2fff4f611b8f15.15.203598dbba9919c5e36c54fe1709b557d64120cb94b6.1.1686.6.1316.12.806.18.216.19.117.07197462e90b8ce15caa1ae15d4bc2bb8cd21b11eb0a7da0e3f7442545f071499beb36374714bb9ded57384e27d1ebf0047e3f00a6e1181b8be9857a2e76e8f0581ef555eacc11dbb095e602fb30a5361
Affected packages
- Linux / Linux< d57384e27d1ebf0047e3f00a6e1181b8be9857a2 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < b0a7da0e3f7442545f071499beb36374714bb9de (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 45aaca995e4a7a05b272a58e7ab2fff4f611b8f1 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 108b81514d8f2535eb16651495cefb2250528db3 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < e76e8f0581ef555eacc11dbb095e602fb30a5361 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2)
- Linux / Linux2.6.12Fixed in 0, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H