Description
In the Linux kernel, the following vulnerability has been resolved:

can: isotp: fix tx.buf use-after-free in isotp_sendmsg()

isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access
to so->tx.buf. isotp_release() waits for ISOTP_IDLE via
wait_event_interruptible() and then calls kfree(so->tx.buf).

If a signal interrupts the wait_event_interruptible() inside close()
while tx.state is ISOTP_SENDING, the loop exits early and release
proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf)
while sendmsg may still be reading so->tx.buf for the final CAN frame
in isotp_fill_dataframe().

The so->tx.buf can be allocated once when the standard tx.buf length needs
to be extended. Move the kfree() of this potentially extended tx.buf to
sk_destruct time when either isotp_sendmsg() and isotp_release() are done.
Published: 2026-04-22
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free in Linux CAN ISO‑TP driver
Action: Patch Now
AI Analysis

Impact

The CVE involves a use‑after‑free flaw in the Linux kernel's CAN ISO‑TP driver (CWE‑416) coupled with a race condition (CWE‑364). When a close operation is interrupted by a signal while a transmission is in progress, the driver may free the transmission buffer before the sending routine has finished using it. This can lead to kernel memory corruption, a crash, or denial of service.

Affected Systems

All Linux kernel installations that include the problematic CAN ISO‑TP driver are potentially vulnerable; the CVE does not specify particular kernel releases, and the list of affected versions is not provided in the vendor data.

Risk and Exploitability

The CVSS base score is 7.8, indicating high severity. The EPSS score is <1%, showing a low likelihood of exploitation. Attackers would need to trigger a close operation with an interrupting signal while a transmission is underway, a scenario that is difficult to accomplish from a remote context but possible from a local or privileged environment. Since no public exploits exist, the risk is primarily the potential for a kernel crash or memory corruption that could be exploited to gain higher privileges or disrupt system availability. The flaw is not listed in CISA’s KEV catalog, and the attack vector is confined to local or remote code execution that affects the CAN network stack.

Generated by OpenCVE AI on April 28, 2026 at 15:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch for the ISO‑TP sendmsg use‑after‑free bug
  • Reboot the system after upgrading to ensure the new kernel is running
  • If an immediate upgrade is not possible, consider disabling the ISO‑TP functionality in the CAN network stack or isolating CAN devices until a patched kernel is available

Generated by OpenCVE AI on April 28, 2026 at 15:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Mon, 27 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:6.4:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix tx.buf use-after-free in isotp_sendmsg() isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access to so->tx.buf. isotp_release() waits for ISOTP_IDLE via wait_event_interruptible() and then calls kfree(so->tx.buf). If a signal interrupts the wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the loop exits early and release proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) while sendmsg may still be reading so->tx.buf for the final CAN frame in isotp_fill_dataframe(). The so->tx.buf can be allocated once when the standard tx.buf length needs to be extended. Move the kfree() of this potentially extended tx.buf to sk_destruct time when either isotp_sendmsg() and isotp_release() are done.
Title can: isotp: fix tx.buf use-after-free in isotp_sendmsg()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:26.119Z

Reserved: 2026-03-09T15:48:24.098Z

Link: CVE-2026-31474

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:44.053

Modified: 2026-04-27T23:27:13.620

Link: CVE-2026-31474

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31474 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:45:06Z

Weaknesses