Description
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold

sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately
releases the lock without holding a reference to the socket. A concurrent
close() can free the socket between the lock release and the subsequent
sk->sk_state access, resulting in a use-after-free.

Other functions in the same file (sco_sock_timeout(), sco_conn_del())
correctly use sco_sock_hold() to safely hold a reference under the lock.

Fix by using sco_sock_hold() to take a reference before releasing the
lock, and adding sock_put() on all exit paths.
Published: 2026-04-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use-After-Free in Bluetooth SCO socket handling
Action: Apply Patch
AI Analysis

Impact

A concurrent close operation can free the socket after the lock in sco_recv_frame() is released but before the socket state is accessed, causing a use-after-free. This memory corruption may lead to kernel crashes or permit an attacker to execute arbitrary kernel code, potentially escalating privileges. The vulnerability resides in the Bluetooth SCO subsystem and requires a malicious or malformed SCO frame transmitted during a connection.

Affected Systems

All Linux kernel implementations that contain the vulnerable sco_recv_frame() routine. No specific kernel versions are listed in the CNA data, so any kernel prior to the patch containing this fix is susceptible.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while an EPSS score of less than 1% suggests low likelihood of exploitation. The vulnerability is not in the CISA KEV catalog. Based on the description, the likely attack vector is a Bluetooth device that initiates or sends SCO frames; an attacker must be able to connect or interfere with a target’s Bluetooth stack to trigger the use-after-free.

Generated by OpenCVE AI on April 28, 2026 at 08:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel release that incorporates the sco_recv_frame fix.
  • Reboot the system to activate the updated kernel.
  • If immediate patching is not feasible, restrict Bluetooth services or disable the SCO profile until a security update is applied.

Generated by OpenCVE AI on April 28, 2026 at 08:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Sat, 11 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-911
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 06 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths.
Title Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-27T14:02:55.823Z

Reserved: 2026-03-09T15:48:24.086Z

Link: CVE-2026-31408

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T08:16:38.757

Modified: 2026-04-27T14:16:36.977

Link: CVE-2026-31408

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-06T00:00:00Z

Links: CVE-2026-31408 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:00:06Z

Weaknesses