CVE-2026-31408
Published: 06 April 2026
Summary
CVE-2026-31408 is a high-severity an unspecified weakness vulnerability in Kernel (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-18 (Wireless Access).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free vulnerability in the Linux kernel's Bluetooth SCO sco_recv_frame() by requiring timely application of vendor patches that add proper socket reference counting.
Controls and authorizes wireless access including Bluetooth, enabling disabling of SCO capabilities or restricting connections to prevent adjacent-network exploitation.
Implements memory protections such as ASLR and non-executable memory to mitigate successful exploitation of the use-after-free leading to code execution or denial of service.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
UAF in Linux kernel Bluetooth SCO stack (adjacent access, no auth) directly enables kernel RCE leading to privilege escalation; maps to exploitation of the Bluetooth remote service.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close()…
more
can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths.
Deeper analysisAI
CVE-2026-31408 is a use-after-free vulnerability in the Linux kernel's Bluetooth Synchronous Connection-Oriented (SCO) subsystem, specifically within the sco_recv_frame() function. The flaw occurs because sco_recv_frame() reads conn->sk while holding the sco_conn_lock() but releases the lock without acquiring a reference to the socket via sco_sock_hold(). A concurrent close() operation can free the socket between lock release and the subsequent access to sk->sk_state, resulting in a use-after-free. This contrasts with other functions in the same file, such as sco_sock_timeout() and sco_conn_del(), which properly use sco_sock_hold().
An attacker with adjacent network access, such as Bluetooth proximity (AV:A), can exploit this vulnerability with low complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). Successful exploitation leads to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8 and no scope change (S:U), potentially enabling arbitrary code execution, data corruption, or denial of service.
Mitigation is provided through patches in Linux kernel stable releases, as detailed in kernel git commits including 108b81514d8f2535eb16651495cefb2250528db3, 45aaca995e4a7a05b272a58e7ab2fff4f611b8f1, 598dbba9919c5e36c54fe1709b557d64120cb94b, 7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e, and b0a7da0e3f7442545f071499beb36374714bb9de. These commits fix the issue by invoking sco_sock_hold() to hold a socket reference before releasing the lock and adding sock_put() on all exit paths.
Details
- CWE(s)