The Linux kernel Bluetooth subsystem carries a use-after-free bug on the SCO path, the one that handles synchronous audio for headsets and hands-free devices. It’s tracked as CVE-2026-31408 and rated CVSS 8.8 (high).
What actually breaks
The bug lives in sco_recv_frame(), inside net/bluetooth/sco.c. The function reads the socket reference (conn->sk) while holding sco_conn_lock(), then releases the lock right away without having taken a firm reference on the socket object. Between the lock release and the later access to sk->sk_state, a concurrent close() can free that socket. What you get is access to already-freed memory: a textbook use-after-free triggered by a race condition.
The official description puts it plainly: the function reads conn->sk under the lock but releases it without holding a reference, so a concurrent close() can free the socket before the next access.
Who’s affected
Any Linux system with Bluetooth in use. That covers laptops, desktops, IoT devices, automotive infotainment systems and plenty of embedded boards. The vulnerable range is wide, starting at 2.6.12 and reaching very recent branches. Per NVD, affected versions include everything up to 5.15.203, 5.16 through 6.1.167, 6.2 through 6.6.130, 6.7 through 6.12.79, 6.13 through 6.18.20, and 6.19 through 6.19.10. If you run an LTS kernel, check exactly where the fix landed in your series.
How serious it is
The CVSS vector is AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The AV:A (Adjacent) part matters: this isn’t exploitable from across the internet, only from the local Bluetooth proximity range. An attacker has to be within radio reach and force the race between SCO frame reception and socket close. Pulling that off isn’t trivial, since it depends on timing, but the potential impact is real, from a kernel crash up to code execution in the worst case. That’s why confidentiality, integrity and availability all rate high.
The reassuring side is that the proximity vector shrinks the attack surface a lot compared to a pure remote bug. The awkward side is that Bluetooth is usually on by default on laptops and in cars.
Mitigation
The fix adds proper reference counting. It introduces sco_sock_hold() to retain the socket before dropping the lock and calls sock_put() on every exit path, matching what other functions in the same file already do. With that in place, the socket can’t be freed while sco_recv_frame() is still using it.
What to do in practice:
- Update the kernel to the first version in your series that carries the patch, then reboot.
- If you can’t patch right away and you don’t use Bluetooth, turning it off (
rfkill block bluetoothor stopping the service) drops your exposure to zero in the meantime. - Across IoT or embedded fleets, prioritise devices that keep Bluetooth always on and within physical reach of others.
To check where your system sits in its maintenance window, see the Linux kernel page.