Cyber Resilience

CVE-2026-31408

High

Published: 06 April 2026

Published
06 April 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0030 21.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31408 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-18 (Wireless Access).

Deeper analysis

CVE-2026-31408 is a use-after-free vulnerability in the Linux kernel's Bluetooth Synchronous Connection-Oriented (SCO) subsystem, specifically within the sco_recv_frame() function. The flaw occurs because sco_recv_frame() reads conn->sk while holding the sco_conn_lock() but releases the lock without acquiring a reference to the socket via sco_sock_hold(). A concurrent close() operation can free the socket between lock release and the subsequent access to sk->sk_state, resulting in a use-after-free. This contrasts with other functions in the same file, such as sco_sock_timeout() and sco_conn_del(), which properly use sco_sock_hold().

An attacker with adjacent network access, such as Bluetooth proximity (AV:A), can exploit this vulnerability with low complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). Successful exploitation leads to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8 and no scope change (S:U), potentially enabling arbitrary code execution, data corruption, or denial of service.

Mitigation is provided through patches in Linux kernel stable releases, as detailed in kernel git commits including 108b81514d8f2535eb16651495cefb2250528db3, 45aaca995e4a7a05b272a58e7ab2fff4f611b8f1, 598dbba9919c5e36c54fe1709b557d64120cb94b, 7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e, and b0a7da0e3f7442545f071499beb36374714bb9de. These commits fix the issue by invoking sco_sock_hold() to hold a socket reference before releasing the lock and adding sock_put() on all exit paths.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close()…

more

can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

UAF in Linux kernel Bluetooth SCO stack (adjacent access, no auth) directly enables kernel RCE leading to privilege escalation; maps to exploitation of the Bluetooth remote service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23193Same product: Linux Linux Kernel
CVE-2026-23226Same product: Linux Linux Kernel
CVE-2026-23461Same product: Linux Linux Kernel
CVE-2026-23428Same product: Linux Linux Kernel
CVE-2026-31533Same product: Linux Linux Kernel
CVE-2026-31444Same product: Linux Linux Kernel
CVE-2023-53021Same product: Linux Linux Kernel
CVE-2022-49694Same product: Linux Linux Kernel
CVE-2022-49377Same product: Linux Linux Kernel
CVE-2024-57801Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
2.6.12, 7.0 · 2.6.12.1 — 5.15.203 · 5.16 — 6.1.168 · 6.2 — 6.6.131

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free vulnerability in the Linux kernel's Bluetooth SCO sco_recv_frame() by requiring timely application of vendor patches that add proper socket reference counting.

prevent

Controls and authorizes wireless access including Bluetooth, enabling disabling of SCO capabilities or restricting connections to prevent adjacent-network exploitation.

prevent

Implements memory protections such as ASLR and non-executable memory to mitigate successful exploitation of the use-after-free leading to code execution or denial of service.

References