Cyber Resilience

CVE-2026-31500

HighUpdated

Published: 22 April 2026

Published
22 April 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31500 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-31500 is a race condition vulnerability in the Linux kernel's Bluetooth Intel driver (btintel), tracked as CWE-416 (use-after-free). The issue arises because btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET and Intel exception-info retrieval) without holding hci_req_sync_lock(), allowing it to race against hci_dev_do_close() -> btintel_shutdown_combined(), which also uses __hci_cmd_sync() under the same lock. This concurrent manipulation of hdev->req_status/req_rsp can result in the close path freeing the response skb first, leading to a slab-use-after-free in kfree_skb() as reported by KASAN. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-22.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction required, given its local vector (AV:L). Successful exploitation triggers the data race during concurrent execution of btintel_hw_error() and the device close path, potentially causing a kernel crash via the use-after-free or enabling further compromise through memory corruption, achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

Mitigation involves applying the upstream kernel patches referenced in the stable git commits, such as 5f84e845648dfa86e42de5487f1a774b42f0444d, which wrap the entire recovery sequence in btintel_hw_error() with hci_req_sync_lock/unlock to serialize it against other synchronous HCI command issuers. Security practitioners should update affected Linux kernels to versions including these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET and Intel exception-info retrieval) without holding hci_req_sync_lock(). This lets it race against hci_dev_do_close() -> btintel_shutdown_combined(), which also runs…

more

__hci_cmd_sync() under the same lock. When both paths manipulate hdev->req_status/req_rsp concurrently, the close path may free the response skb first, and the still-running hw_error path hits a slab-use-after-free in kfree_skb(). Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it is serialized with every other synchronous HCI command issuer. Below is the data race report and the kasan report: BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined read of hdev->req_rsp at net/bluetooth/hci_sync.c:199 by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254 hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030 write/free by task ioctl/22580: btintel_shutdown_combined+0xd0/0x360 drivers/bluetooth/btintel.c:3648 hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246 hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526 BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202 Read of size 4 at addr ffff888144a738dc by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF race condition in btintel driver allows low-privileged user to trigger memory corruption for privilege escalation (or DoS), directly matching T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.3, 7.0 · 4.3.1 — 6.6.131 · 6.7 — 6.12.80 · 6.13 — 6.18.21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, testing, and deployment of patches to remediate kernel flaws like the btintel race condition leading to use-after-free.

prevent

Implements memory safeguards that protect against unauthorized access or execution from use-after-free errors triggered by the concurrent HCI command execution.

prevent

Configures systems to disable non-essential Bluetooth driver functionality, preventing local attackers from triggering the vulnerable hw_error and close paths.

References