CVE-2026-31408

HIGH 8.8

Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths.

Vendor	linux
Product	linux
Ecosystems	Linux Kernel
Industries	Technology
Published	Apr 6, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new high vulnerabilities affecting linux linux are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Linux / Linux

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < d57384e27d1ebf0047e3f00a6e1181b8be9857a2 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < b0a7da0e3f7442545f071499beb36374714bb9de 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 45aaca995e4a7a05b272a58e7ab2fff4f611b8f1 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 108b81514d8f2535eb16651495cefb2250528db3 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < e76e8f0581ef555eacc11dbb095e602fb30a5361 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 598dbba9919c5e36c54fe1709b557d64120cb94b

Linux / Linux

2.6.12

References

NVD ↗ CVE.org ↗ EPSS Data ↗

git.kernel.org: https://git.kernel.org/stable/c/d57384e27d1ebf0047e3f00a6e1181b8be9857a2 git.kernel.org: https://git.kernel.org/stable/c/b0a7da0e3f7442545f071499beb36374714bb9de git.kernel.org: https://git.kernel.org/stable/c/45aaca995e4a7a05b272a58e7ab2fff4f611b8f1 git.kernel.org: https://git.kernel.org/stable/c/108b81514d8f2535eb16651495cefb2250528db3 git.kernel.org: https://git.kernel.org/stable/c/7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e git.kernel.org: https://git.kernel.org/stable/c/e76e8f0581ef555eacc11dbb095e602fb30a5361 git.kernel.org: https://git.kernel.org/stable/c/598dbba9919c5e36c54fe1709b557d64120cb94b