CVE-2026-31408

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold<br /> <br /> sco_recv_frame() reads conn-&gt;sk under sco_conn_lock() but immediately<br /> releases the lock without holding a reference to the socket. A concurrent<br /> close() can free the socket between the lock release and the subsequent<br /> sk-&gt;sk_state access, resulting in a use-after-free.<br /> <br /> Other functions in the same file (sco_sock_timeout(), sco_conn_del())<br /> correctly use sco_sock_hold() to safely hold a reference under the lock.<br /> <br /> Fix by using sco_sock_hold() to take a reference before releasing the<br /> lock, and adding sock_put() on all exit paths.