PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31511 Linux CVE debrief

CVE-2026-31511 is a Linux kernel Bluetooth MGMT memory-safety issue where an incorrect status check could let mgmt_pending_free() free a command object without first unlinking it from the pending list. That leaves a dangling pointer behind, and later list walks can dereference freed memory. NVD rates the issue HIGH (CVSS 3.1: 7.8) with local, low-privilege conditions and high impact to confidentiality, integrity, and availability. The NVD record was published on 2026-04-22 and last modified on 2026-05-17.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-22
Original CVE updated
2026-05-17
Advisory published
2026-04-22
Advisory updated
2026-05-17

Who should care

Linux kernel maintainers, distribution security teams, and operators running Bluetooth-enabled Linux systems, especially anyone tracking stable kernel updates in the affected release lines.

Technical summary

The issue is in Bluetooth MGMT handling, specifically mgmt_add_adv_patterns_monitor_complete. The fix changes the condition so mgmt_pending_valid runs whenever status != -ECANCELED. Without that check, mgmt_pending_free(cmd) can kfree(cmd) while the object is still linked on the pending list. Subsequent traversal such as mgmt_pending_foreach during __mgmt_power_off, or another mgmt_pending_valid call, may dereference the freed object. NVD classifies the weakness as CWE-416 (use after free). The recorded vulnerable version ranges are Linux kernel 6.12.59 through before 6.12.80, 6.16.10 through before 6.17, 6.17.1 through before 6.18.21, and 6.19 through before 6.19.11; NVD also lists specific vulnerable 6.17 and 7.0-rc variants.

Defensive priority

High

Recommended defensive actions

  • Apply the Linux kernel fixes referenced by NVD and vendor stable patch links.
  • Prioritize patched kernel builds for systems that enable Bluetooth management features.
  • Verify deployed kernel versions against the NVD affected ranges and update any in-scope 6.12, 6.16, 6.17, 6.18, 6.19, or 7.0-rc builds.
  • Monitor downstream distro advisories for backported fixes matching the upstream stable commits.
  • If patching is delayed, reduce exposure by limiting unnecessary Bluetooth use on affected hosts where operationally feasible.

Evidence notes

The debrief is based only on the supplied NVD record and its official kernel references. The NVD description explicitly mentions a dangling pointer created when mgmt_pending_free() frees cmd without unlinking it first, and warns that later list traversal can dereference freed memory. NVD assigns CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and CWE-416. The record includes affected-version criteria and four kernel.org stable patch references, all from official sources. No KEV entry was supplied.

Official resources

Publicly disclosed in the NVD record on 2026-04-22 and updated on 2026-05-17.