VDB

CVE-2026-31408

CVE-2026-31408 PUBLISHED

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths.

EPSS 0.03% · 7.5th percentile

Risk Scores

EPSS Score
0.03%
7.5th percentile

Affected Products

VendorProductVersions
LinuxLinux6.12.80, 6.18.21, 6.19.11
linuxlinux_kernel2.6.12, 2.6.12, 2.6.12

Timeline

  • Apr 6, 2026 CVE Published
  • Apr 6, 2026 PoC Published
  • Apr 6, 2026 PoC Published
  • Apr 6, 2026 Security Advisory
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score
  • May 25, 2026 EPSS Score

References

…and 77 more

Open in Interactive Console →
$ Console Community · 100/wk Open console ›