CVE-2026-31532
Published: Apr 23, 2026
Modified: Jun 1, 2026
CVSS v3.1
7.8
Description
In the Linux kernel, the following vulnerability has been resolved: can: raw: fix ro->uniq use-after-free in raw_rcv() raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This leaves a window where raw_rcv() may still be running in an RCU read-side critical section after raw_release() frees ro->uniq, leading to a use-after-free of the percpu uniq storage. Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific socket destructor. can_rx_unregister() takes an extra reference to the socket and only drops it from the RCU callback, so freeing uniq from sk_destruct ensures the percpu area is not released until the relevant callbacks have drained. [mkl: applied manually]
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 514ac99c64b22d83b52dfee3b8becaa69a92bc4a - < 1de30576a6dfeaaa27ef91fa272e6b9240b6fbd3affected 514ac99c64b22d83b52dfee3b8becaa69a92bc4a - < 64c8553decf5a5f2417bd54761ea0a832c56c4caaffected 514ac99c64b22d83b52dfee3b8becaa69a92bc4a - < 3f43f12fde34737fba091b7e3ab391e14ddbb0beaffected 514ac99c64b22d83b52dfee3b8becaa69a92bc4a - < 5e9cfffad898bbeaafd0ea608a6d267362f050fcaffected 514ac99c64b22d83b52dfee3b8becaa69a92bc4a - < 572f0bf536ebc14f6e7da3d21a85cf076de8358e+4 more versions |
Linux | Linux | affected 4.1unaffected 0 - < 4.1unaffected 5.10.258 - <= 5.10.*unaffected 5.15.209 - <= 5.15.*unaffected 6.1.175 - <= 6.1.*+6 more versions |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now