CVE-2026-31511
Published: 22 April 2026
Summary
CVE-2026-31511 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free vulnerability in the Linux kernel's Bluetooth MGMT subsystem by requiring timely application of upstream patches to fix the improper error handling.
Provides run-time memory protections such as address space layout randomization and supervisor mode execution prevention that mitigate exploitation of the dangling pointer use-after-free.
Mandates secure error and exception handling in kernel components to prevent logic errors like improper condition checks that lead to freeing structures without list unlinking.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
UAF in Linux kernel Bluetooth MGMT enables local memory corruption/arbitrary R/W (T1068 for priv esc) or kernel panic DoS (T1499.004) with low-priv local access.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete This fixes the condition checking so mgmt_pending_valid is executed whenever status != -ECANCELED otherwise calling mgmt_pending_free(cmd) would kfree(cmd) without unlinking it from the…
more
list first, leaving a dangling pointer. Any subsequent list traversal (e.g., mgmt_pending_foreach during __mgmt_power_off, or another mgmt_pending_valid call) would dereference freed memory.
Deeper analysisAI
CVE-2026-31511 is a use-after-free vulnerability (CWE-416) in the Linux kernel's Bluetooth Management (MGMT) subsystem, specifically in the mgmt_add_adv_patterns_monitor_complete function. The issue arises from improper condition checking during error handling: when the status is not -ECANCELED, mgmt_pending_free is called on a command structure (cmd) without first unlinking it from the pending list, resulting in a kfree that leaves a dangling pointer. Subsequent operations, such as list traversals in mgmt_pending_foreach (e.g., during __mgmt_power_off) or additional mgmt_pending_valid calls, can then dereference the freed memory, potentially leading to kernel crashes or memory corruption.
The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable by a local attacker with low privileges and low complexity, requiring no user interaction. Successful exploitation could grant the attacker high impacts on confidentiality, integrity, and availability, such as arbitrary kernel memory read/write or denial-of-service via kernel panic.
Mitigation is provided through upstream kernel patches in the stable trees, as detailed in the referenced commits: 340666172cf747de58c283d2eef1f335f050538b, 3a89c33deffb3cb7877a7ea2e50734cd12b064f2, 5f5fa4cd35f707344f65ce9e225b6528691dbbaa, and bafec9325d4de26b6c49db75b5d5172de652aae0. Security practitioners should ensure Linux kernels are updated to incorporate these fixes, particularly on systems utilizing Bluetooth functionality.
Details
- CWE(s)