8.8
CVE-2026-31408
- EPSS 0.3%
- Veröffentlicht 06.04.2026 08:16:38
- Zuletzt bearbeitet 20.05.2026 16:18:27
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 2.6.12.1 < 5.15.203
Linux ≫ Linux Kernel Version >= 5.16 < 6.1.168
Linux ≫ Linux Kernel Version >= 6.2 < 6.6.131
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.80
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.21
Linux ≫ Linux Kernel Version >= 6.19 < 6.19.11
Linux ≫ Linux Kernel Version2.6.12 Update-
Linux ≫ Linux Kernel Version2.6.12 Updaterc2
Linux ≫ Linux Kernel Version2.6.12 Updaterc3
Linux ≫ Linux Kernel Version2.6.12 Updaterc4
Linux ≫ Linux Kernel Version2.6.12 Updaterc5
Linux ≫ Linux Kernel Version7.0 Updaterc1
Linux ≫ Linux Kernel Version7.0 Updaterc2
Linux ≫ Linux Kernel Version7.0 Updaterc3
Linux ≫ Linux Kernel Version7.0 Updaterc4
Linux ≫ Linux Kernel Version7.0 Updaterc5
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.3% | 0.214 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/108b81514d8f2535eb16651495cefb2250528db3
https://git.kernel.org/stable/c/45aaca995e4a7a05b272a58e7ab2fff4f611b8f1
https://git.kernel.org/stable/c/598dbba9919c5e36c54fe1709b557d64120cb94b
https://git.kernel.org/stable/c/7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e
https://git.kernel.org/stable/c/e76e8f0581ef555eacc11dbb095e602fb30a5361
https://git.kernel.org/stable/c/b0a7da0e3f7442545f071499beb36374714bb9de
https://git.kernel.org/stable/c/d57384e27d1ebf0047e3f00a6e1181b8be9857a2