Severity
High
Analysis Summary
CVE-2026-31408 CVSS:7.3
Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in sco_recv_frame() within the Bluetooth SCO subsystem. sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. This memory corruption can lead to a system crash or potentially arbitrary code execution.
CVE-2026-28529 CVSS:7.8
cryptodev-linux could allow a local authenticated attacker to gain elevated privileges on the system, caused by a page reference handling flaw in the get_userbuf function of the /dev/crypto device driver.
Impact
- Privileges Escalation
- Denial of Service
Indicators of Compromise
CVE
CVE-2026-31408
CVE-2026-28529
Affected Vendors
Affected Products
- Linux Kernel 2.6.12
- cryptodev-linux cryptodev-linux 1.14
Remediation
Upgrade to the latest version of the kernel, available from the Linux Kernel GIT Repository.