CVE-2026-31408 — Improper Update of Reference Count in Linux
Severity
5.5MEDIUM
No vectorEPSS
0.0%
top 97.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 6
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately
releases the lock without holding a reference to the socket. A concurrent
close() can free the socket between the lock release and the subsequent
sk->sk_state access, resulting in a use-after-free.
Other functions in the same file (sco_sock_timeout(), sco_conn_del())
correctly u…
Affected Packages3 packages
▶CVEListV5linux/linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 — b0a7da0e3f7442545f071499beb36374714bb9de+6
🔴Vulnerability Details
2GHSA▶
GHSA-82h6-xw4j-pq2m: In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold↗2026-04-06
OSV▶
CVE-2026-31408: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sc↗2026-04-06
📋Vendor Advisories
3Red Hat
▶
Microsoft
▶
Debian▶
CVE-2026-31408: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ...↗2026
🕵️Threat Intelligence
1345💬Community
1Bugzilla▶
CVE-2026-31408 kernel: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold↗2026-04-06