{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31511", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.106Z", "datePublished": "2026-04-22T13:54:29.420Z", "dateUpdated": "2026-05-11T22:10:12.444Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:10:12.444Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete\n\nThis fixes the condition checking so mgmt_pending_valid is executed\nwhenever status != -ECANCELED otherwise calling mgmt_pending_free(cmd)\nwould kfree(cmd) without unlinking it from the list first, leaving a\ndangling pointer. Any subsequent list traversal (e.g.,\nmgmt_pending_foreach during __mgmt_power_off, or another\nmgmt_pending_valid call) would dereference freed memory."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/mgmt.c"], "versions": [{"version": "d71b98f253b079cbadc83266383f26fe7e9e103b", "lessThan": "340666172cf747de58c283d2eef1f335f050538b", "status": "affected", "versionType": "git"}, {"version": "302a1f674c00dd5581ab8e493ef44767c5101aab", "lessThan": "bafec9325d4de26b6c49db75b5d5172de652aae0", "status": "affected", "versionType": "git"}, {"version": "302a1f674c00dd5581ab8e493ef44767c5101aab", "lessThan": "3a89c33deffb3cb7877a7ea2e50734cd12b064f2", "status": "affected", "versionType": "git"}, {"version": "302a1f674c00dd5581ab8e493ef44767c5101aab", "lessThan": "5f5fa4cd35f707344f65ce9e225b6528691dbbaa", "status": "affected", "versionType": "git"}, {"version": "87a1f16f07c6c43771754075e08f45b41d237421", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/bluetooth/mgmt.c"], "versions": [{"version": "6.17", "status": "affected"}, {"version": "0", "lessThan": "6.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.59", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16.10"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/340666172cf747de58c283d2eef1f335f050538b"}, {"url": "https://git.kernel.org/stable/c/bafec9325d4de26b6c49db75b5d5172de652aae0"}, {"url": "https://git.kernel.org/stable/c/3a89c33deffb3cb7877a7ea2e50734cd12b064f2"}, {"url": "https://git.kernel.org/stable/c/5f5fa4cd35f707344f65ce9e225b6528691dbbaa"}], "title": "Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2E3E9EB4-7DEE-45DF-B63A-FE5F72A20A3F", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.12.59", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1C91278E-7FC3-4EFB-AE2C-E82D42F4D3AA", "versionEndExcluding": "6.17", "versionStartIncluding": "6.16.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "44CB3599-9974-4F35-B3CC-580CAC6FA38B", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.17.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*", "matchCriteriaId": "7CC8B11D-82DC-4958-8DC7-BF5CC829A5E9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete\n\nThis fixes the condition checking so mgmt_pending_valid is executed\nwhenever status != -ECANCELED otherwise calling mgmt_pending_free(cmd)\nwould kfree(cmd) without unlinking it from the list first, leaving a\ndangling pointer. Any subsequent list traversal (e.g.,\nmgmt_pending_foreach during __mgmt_power_off, or another\nmgmt_pending_valid call) would dereference freed memory."}], "id": "CVE-2026-31511", "lastModified": "2026-04-28T14:59:25.130", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-22T14:16:50.343", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/340666172cf747de58c283d2eef1f335f050538b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3a89c33deffb3cb7877a7ea2e50734cd12b064f2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5f5fa4cd35f707344f65ce9e225b6528691dbbaa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bafec9325d4de26b6c49db75b5d5172de652aae0"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete", "id": "2460703", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460703"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the Bluetooth Management (MGMT) component of the Linux kernel. An issue with how memory is managed during certain operations can lead to a 'dangling pointer' vulnerability. This means that the system might attempt to access memory that has already been released, potentially causing system instability or a denial of service."], "name": "CVE-2026-31511", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31511\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31511\nhttps://lore.kernel.org/linux-cve-announce/2026042208-CVE-2026-31511-b569@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d71b98f253b079cbadc83266383f26fe7e9e103b,340666172cf747de58c283d2eef1f335f050538b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[302a1f674c00dd5581ab8e493ef44767c5101aab,bafec9325d4de26b6c49db75b5d5172de652aae0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[302a1f674c00dd5581ab8e493ef44767c5101aab,3a89c33deffb3cb7877a7ea2e50734cd12b064f2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[302a1f674c00dd5581ab8e493ef44767c5101aab,5f5fa4cd35f707344f65ce9e225b6528691dbbaa)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "87a1f16f07c6c43771754075e08f45b41d237421"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.17"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.17)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.80,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.21,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.11,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T20:48:00.239286+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the mgmt_add_adv_patterns_monitor_complete fix from your vendor.", "Reboot the system so the updated kernel and Bluetooth modules take effect.", "If an immediate kernel update is not possible, stop or disable the Bluetooth service to reduce exposure until the patch can be applied."], "summary": {"action": "Patch", "impact": "Use-After-Free"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that contain the legacy mgmt_add_adv_patterns_monitor_complete implementation and have not yet incorporated the vendor\u2011supplied patch are affected. Devices exposing a Bluetooth management interface on these kernels are at risk.", "description_and_impact": "The flaw arises from a dangling pointer in the Linux kernel Bluetooth MGMT code, corresponding to CWE\u2011416 use\u2011after\u2011free and CWE\u2011825 use\u2011after\u2011free. When a pending command is freed without unlinking it from the internal list, a stale pointer remains. Subsequent list traversals, such as those performed during power\u2011off or additional validation calls, dereference this freed memory, leading to kernel memory corruption and crashes. The potential for arbitrary code execution is inferred from the nature of the vulnerability but is not explicitly stated in the CVE description.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity. The EPSS score is less than 1%, indicating a low but non\u2011zero likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. It resides in privileged kernel code and could be triggered by an unauthenticated user sending crafted Bluetooth MGMT packets, an attack vector that is inferred from the nature of the vulnerability but is not explicitly described. An attacker could cause a crash (denial of service) or potentially execute code with elevated privileges, depending on the execution context of the freed memory; these outcomes are also inferred and not explicitly detailed in the CVE description."}}}}, "created": "2026-04-22T18:15:15.247493+00:00", "updated": "2026-04-28T21:00:14.746839+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}