PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31408 Linux CVE debrief

CVE-2026-31408 is a high-severity Linux kernel memory-safety issue in Bluetooth SCO handling. The bug is a use-after-free in sco_recv_frame(): it reads conn->sk while holding sco_conn_lock(), but then releases the lock without first taking a socket reference. A concurrent close() can free the socket before the later sk->sk_state access. The fix is to hold the socket safely before unlocking and to drop the reference on all exit paths.

Vendor
Linux
Product
Unknown
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-06
Original CVE updated
2026-05-20
Advisory published
2026-04-06
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distribution security teams, and operators of systems that use Bluetooth functionality—especially workloads where SCO traffic may be reachable in the running kernel.

Technical summary

NVD maps the issue to CWE-416 (Use After Free) and gives CVSS v3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerable code path is in Bluetooth SCO receive handling, where sco_recv_frame() accesses conn->sk under sco_conn_lock() but does not retain the socket object after unlocking. That creates a race with socket close/free. The supplied record also notes that nearby functions in the same file already use sco_sock_hold() correctly, and the fix is to adopt that pattern plus sock_put() on all exits. NVD’s affected version criteria cover multiple Linux kernel lines up to, but not including, the listed fixed releases.

Defensive priority

High. This is a kernel memory-safety flaw with potential impact on confidentiality, integrity, and availability, and NVD rates it 8.8/HIGH.

Recommended defensive actions

  • Patch or upgrade to a kernel release that includes the fix; NVD lists fixed endpoints of 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, and 6.19.11 for the affected branches.
  • If you maintain a downstream kernel, confirm the backport of the Bluetooth SCO socket-reference fix and the associated sock_put() cleanup.
  • Prioritize systems that enable Bluetooth SCO handling or depend on Bluetooth kernel support, and verify vendor advisories for your exact kernel build.
  • Use the official stable patch references from kernel.org to confirm whether your branch contains the correction.
  • Track any fleet assets still on older kernel lines that fall within the NVD vulnerable ranges.

Evidence notes

The vulnerability description in the supplied CVE/NVD record states that sco_recv_frame() releases sco_conn_lock() before holding a reference to conn->sk, allowing concurrent close() to free the socket and causing a use-after-free. NVD classifies the weakness as CWE-416 and assigns CVSS v3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The record also includes official kernel.org stable patch references, which corroborate that this is a patched kernel issue rather than an unverified report.

Official resources

The CVE record was published on 2026-04-06 and last modified by NVD on 2026-05-20; this debrief uses the published CVE date as the disclosure context.