CVE-2026-31408

Name of the Vulnerable Software and Affected Versions Linux Kernel (affected versions not specified)

Description The Linux kernel contains a use-after-free issue in the sco recv frame() function within the Bluetooth SCO (Synchronous Connection-Oriented) subsystem. The function reads conn->sk under sco conn lock() but releases the lock without holding a reference to the socket. A concurrent close() operation could free the socket between the lock release and subsequent access to sk->sk state, leading to a use-after-free condition. The issue is fixed by using sco sock hold() to acquire a reference before releasing the lock and adding sock put() on all exit paths.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.