Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
Summary
| CVE | CVE-2026-31408 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-06 08:16:38 UTC |
| Updated | 2026-04-11 13:16:37 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths. |
Risk And Classification
EPSS: 0.000080000 probability, percentile 0.006880000 (date 2026-04-07)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 b0a7da0e3f7442545f071499beb36374714bb9de git | Not specified |
| CNA | Linux | Linux | affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 45aaca995e4a7a05b272a58e7ab2fff4f611b8f1 git | Not specified |
| CNA | Linux | Linux | affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 108b81514d8f2535eb16651495cefb2250528db3 git | Not specified |
| CNA | Linux | Linux | affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e git | Not specified |
| CNA | Linux | Linux | affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 e76e8f0581ef555eacc11dbb095e602fb30a5361 git | Not specified |
| CNA | Linux | Linux | affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 598dbba9919c5e36c54fe1709b557d64120cb94b git | Not specified |
| CNA | Linux | Linux | affected 2.6.12 | Not specified |
| CNA | Linux | Linux | unaffected 2.6.12 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.168 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.131 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.80 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.21 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19.11 6.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0-rc6 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/45aaca995e4a7a05b272a58e7ab2fff4f611b8f1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/e76e8f0581ef555eacc11dbb095e602fb30a5361 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/b0a7da0e3f7442545f071499beb36374714bb9de | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/108b81514d8f2535eb16651495cefb2250528db3 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/598dbba9919c5e36c54fe1709b557d64120cb94b | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.