CVE-2026-31500
Published: 22 April 2026
Summary
CVE-2026-31500 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-31500 is a race condition vulnerability in the Linux kernel's Bluetooth Intel driver (btintel), tracked as CWE-416 (use-after-free). The issue arises because btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET and Intel exception-info retrieval) without holding hci_req_sync_lock(), allowing it to race against hci_dev_do_close() -> btintel_shutdown_combined(), which also uses __hci_cmd_sync() under the same lock. This concurrent manipulation of hdev->req_status/req_rsp can result in the close path freeing the response skb first, leading to a slab-use-after-free in kfree_skb() as reported by KASAN. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-22.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction required, given its local vector (AV:L). Successful exploitation triggers the data race during concurrent execution of btintel_hw_error() and the device close path, potentially causing a kernel crash via the use-after-free or enabling further compromise through memory corruption, achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
Mitigation involves applying the upstream kernel patches referenced in the stable git commits, such as 5f84e845648dfa86e42de5487f1a774b42f0444d, which wrap the entire recovery sequence in btintel_hw_error() with hci_req_sync_lock/unlock to serialize it against other synchronous HCI command issuers. Security practitioners should update affected Linux kernels to versions including these fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24876
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET and Intel exception-info retrieval) without holding hci_req_sync_lock(). This lets it race against hci_dev_do_close() -> btintel_shutdown_combined(), which also runs…
more
__hci_cmd_sync() under the same lock. When both paths manipulate hdev->req_status/req_rsp concurrently, the close path may free the response skb first, and the still-running hw_error path hits a slab-use-after-free in kfree_skb(). Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it is serialized with every other synchronous HCI command issuer. Below is the data race report and the kasan report: BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined read of hdev->req_rsp at net/bluetooth/hci_sync.c:199 by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254 hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030 write/free by task ioctl/22580: btintel_shutdown_combined+0xd0/0x360 drivers/bluetooth/btintel.c:3648 hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246 hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526 BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202 Read of size 4 at addr ffff888144a738dc by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF race condition in btintel driver allows low-privileged user to trigger memory corruption for privilege escalation (or DoS), directly matching T1068 Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, testing, and deployment of patches to remediate kernel flaws like the btintel race condition leading to use-after-free.
Implements memory safeguards that protect against unauthorized access or execution from use-after-free errors triggered by the concurrent HCI command execution.
Configures systems to disable non-essential Bluetooth driver functionality, preventing local attackers from triggering the vulnerable hw_error and close paths.