Skip to content
CVSS 7.8 · HIGH

CVE-2026-31532

In the Linux kernel, the following vulnerability has been resolved: can: raw: fix ro->uniq use-after-free in raw_rcv() raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This leaves a window where raw_rcv() may still be running in an RCU read-side critical section after raw_release() frees ro->uniq, leading to a use-after-free of the percpu uniq storage. Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific socket destructor. can_rx_unregister() takes an extra reference to the socket and only drops it from the RCU callback, so freeing uniq from sk_destruct ensures the percpu area is not released until the relevant callbacks have drained. [mkl: applied manually]

Ver en NVD

Análisis

The Linux kernel has a use-after-free vulnerability in its CAN (Controller Area Network) raw socket implementation. This flaw can be triggered during socket release, potentially leading to system crashes or local privilege escalation on affected systems. If your infrastructure utilizes CAN bus protocols or runs specialized industrial/embedded Linux distributions, you should apply the latest kernel updates immediately.

Severidad

Puntaje: 7.8(HIGH)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV: LOCAL
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-416

EPSS

Probabilidad de explotación (próx. 30 días): 0.0001 (0.0%)
Percentil: 2.4%
EPSS: 2026-05-06

Afecta

linux:linux_kernel

Descripción técnica

In the Linux kernel, the following vulnerability has been resolved: can: raw: fix ro->uniq use-after-free in raw_rcv() raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This leaves a window where raw_rcv() may still be running in an RCU read-side critical section after raw_release() frees ro->uniq, leading to a use-after-free of the percpu uniq storage. Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific socket destructor. can_rx_unregister() takes an extra reference to the socket and only drops it from the RCU callback, so freeing uniq from sk_destruct ensures the percpu area is not released until the relevant callbacks have drained. [mkl: applied manually]

Publicada: 23/4/2026, 12:17:01
Última modificación: 29/4/2026, 15:26:27

Referencias

InicioEventosBlogRecursosEquipo