HIGH
bluetooth SCO UAF
CVE-2026-31408
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths.
02KernelScan AI Analysis
Risk summary
A race condition in Bluetooth SCO frame processing can cause use-after-free when a socket is freed during concurrent access. Adjacent attackers within Bluetooth range can potentially achieve kernel memory corruption, information disclosure, or cause system crashes by racing SCO frame reception against socket close.
Vulnerability analysis
The vulnerability occurs in sco_recv_frame() where conn->sk is accessed under sco_conn_lock() but the lock is released without taking a socket reference. A concurrent close() can free the socket between lock release and sk->sk_state access, creating a use-after-free condition. The fix adds proper reference counting using sco_sock_hold() to safely hold the socket reference across the critical section, with sock_put() calls on all exit paths to prevent reference leaks.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.203 | d57384e27d1e |
| 6.1 | 6.1.168 | b0a7da0e3f74 |
| 6.12 | 6.12.80 | 108b81514d8f |
| 6.18 | 6.18.21 | 7197462e90b8 |
| 6.19 | 6.19.11 | e76e8f0581ef |
| 6.6 | 6.6.131 | 45aaca995e4a |
| mainline | 7.0 | 598dbba9919c |