{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-22T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete",
    "id" : "2460703",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2460703"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nBluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete\nThis fixes the condition checking so mgmt_pending_valid is executed\nwhenever status != -ECANCELED otherwise calling mgmt_pending_free(cmd)\nwould kfree(cmd) without unlinking it from the list first, leaving a\ndangling pointer. Any subsequent list traversal (e.g.,\nmgmt_pending_foreach during __mgmt_power_off, or another\nmgmt_pending_valid call) would dereference freed memory.", "A flaw was found in the Bluetooth Management (MGMT) component of the Linux kernel. An issue with how memory is managed during certain operations can lead to a 'dangling pointer' vulnerability. This means that the system might attempt to access memory that has already been released, potentially causing system instability or a denial of service." ],
  "statement" : "The MGMT pending command list is now validated before `kfree()` so canceled commands cannot leave dangling list entries traversed on power-off. Red Hat recommends kernel updates for Bluetooth management users. Unload `bluetooth` if RF management is not needed.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31511\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31511\nhttps://lore.kernel.org/linux-cve-announce/2026042208-CVE-2026-31511-b569@gregkh/T" ],
  "name" : "CVE-2026-31511",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the bluetooth module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.",
    "lang" : "en:us"
  },
  "csaw" : false
}