What is CVE-2026-31500?

CVE-2026-31500 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10, classified as a Use After Free flaw (CWE-416), affecting Linux kernel versions from 4.3 onward and patched in 6.1.175, 6.6.131, 6.12.80 and others. CVE-2026-31500 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-31500?

CVE-2026-31500 has a CVSS score of 7.8 out of 10, rated High severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Is there a patch available for CVE-2026-31500?

Yes, CVE-2026-31500 has been patched. Fixed versions include 6.1.175, 6.6.131, 6.12.80 and others. If you are running Linux kernel 4.3 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-31500 actively exploited?

CVE-2026-31500 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is Use After Free (CWE-416)?

The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. See MITRE CWE for full details: https://cwe.mitre.org/data/definitions/416.html

CVE-2026-31500

High

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET and Intel exception-info retrieval) without holding hci_req_sync_lock(). This lets it race against hci_dev_do_close() -> btintel_shutdown_combined(), which also runs __hci_cmd_sync() under the same lock. When both paths manipulate hdev->req_status/req_rsp concurrently, the close path may free the response skb first, and the still-running hw_error path hits a slab-use-after-free in kfree_skb(). Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it is serialized with every other synchronous HCI command issuer. Below is the data race report and the kasan report: BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined read of hdev->req_rsp at net/bluetooth/hci_sync.c:199 by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254 hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030 write/free by task ioctl/22580: btintel_shutdown_combined+0xd0/0x360 drivers/bluetooth/btintel.c:3648 hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246 hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526 BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202 Read of size 4 at addr ffff888144a738dc by task kworker/u17:1/83: __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260

Package Linux Kernel

Published 2026-04-22

Last modified 2026-06-01

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

7.8

out of 10

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness type

CWE-416

CVE-2026-31500 is a Use After Free vulnerability

What is Use After Free?

The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. Learn more on MITRE CWE

Affected versions

Linux kernel versions 4.3 and later are affected. Fixed in 6.1.175, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0 and their respective stable series.

Affected from

≥ 4.3

Fixed in

✓ 6.1.175 6.1.x ✓ 6.6.131 6.6.x ✓ 6.12.80 6.12.x ✓ 6.18.21 6.18.x ✓ 6.19.11 6.19.x ✓ 7.0

References

The following references provide additional information about CVE-2026-31500 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/5f84e845648dfa86e42de5487f1a774b42f0444d
Patch
Kernel patch commit
https://git.kernel.org/stable/c/66696648af477dc87859e5e4b607112f5f29d010
Patch
Kernel patch commit
https://git.kernel.org/stable/c/7e041d0aad1d4d43d921ace052e04f4e2cacaed3
Patch

6 patch commits total View all on NVD

Details

CVE ID CVE-2026-31500

Severity High

CVSS score 7.8 / 10

CVSS version 3.1

Published 2026-04-22

Modified 2026-06-01

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2026-31500?

CVE-2026-31500 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10 , classified as an Use After Free flaw (CWE-416) . It affects Linux kernel versions from 4.3 onward and has been patched in 6.1.175, 6.6.131, 6.12.80 and others. CVE-2026-31500 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2026-31500?

CVE-2026-31500 has a CVSS score of 7.8 out of 10, rated High severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Is there a patch available for CVE-2026-31500?

Yes — CVE-2026-31500 has been patched. Fixed versions include 6.1.175, 6.6.131, 6.12.80 and others. If you are running Linux kernel 4.3 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-31500 actively exploited?

No — CVE-2026-31500 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
What is Use After Free (CWE-416)?

The product references memory after it has been freed, which may cause it to crash, use unexpected values, or execute code. View CWE-416 on MITRE CWE →