CVE-2026-31532 - Vulnerability Details

- can: raw: fix ro->uniq use-after-free in raw_rcv()

Description

In the Linux kernel, the following vulnerability has been resolved:

can: raw: fix ro->uniq use-after-free in raw_rcv()

raw_release() unregisters raw CAN receive filters via can_rx_unregister(),
but receiver deletion is deferred with call_rcu(). This leaves a window
where raw_rcv() may still be running in an RCU read-side critical section
after raw_release() frees ro->uniq, leading to a use-after-free of the
percpu uniq storage.

Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific
socket destructor. can_rx_unregister() takes an extra reference to the
socket and only drops it from the RCU callback, so freeing uniq from
sk_destruct ensures the percpu area is not released until the relevant
callbacks have drained.

[mkl: applied manually]

Published: 2026-04-23

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A use‑after‑free bug exists in the Linux kernel CAN raw handling. When a raw socket is released, its per‑CPU uniq storage can be freed before the RCU callback finishes, allowing a subsequent read operation to dereference a freed pointer. An attacker who can inject crafted CAN frames into the raw interface could exploit this race to read or overwrite kernel memory, potentially executing arbitrary code. The flaw is classified as CWE‑366 and CWE‑416.

Affected Systems

All Linux kernel builds that include CAN raw support and have not applied the patch referenced in commit a535a9217ca3f2fccedaafb2fddb4c48f27d36dc are affected. No specific kernel versions are listed in the advisory, so any unsupported kernel that still contains the vulnerable code path is potentially impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. However, the EPSS score of less than 1% and the absence from the CISA KEV catalog suggest the exploitation likelihood is low at present. The vulnerability is local to the system, requiring the ability to write to a CAN raw device; an attacker would need sufficient privileges or access to the CAN bus interface to trigger the race condition.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`514ac99c64b22d83b52dfee3b8becaa69a92bc4a`	affected	< 5e9cfffad898bbeaafd0ea608a6d267362f050fc
`514ac99c64b22d83b52dfee3b8becaa69a92bc4a`	affected	< 572f0bf536ebc14f6e7da3d21a85cf076de8358e
`514ac99c64b22d83b52dfee3b8becaa69a92bc4a`	affected	< 1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0
`514ac99c64b22d83b52dfee3b8becaa69a92bc4a`	affected	< 7201a531b9a5ed892bfda5ded9194ef622de8ffa
`514ac99c64b22d83b52dfee3b8becaa69a92bc4a`	affected	< 34c1741254ff972e8375faf176678a248826fe3a
`514ac99c64b22d83b52dfee3b8becaa69a92bc4a`	affected	< a535a9217ca3f2fccedaafb2fddb4c48f27d36dc

Linux

affected

Version	Status	Constraints
`4.1`	affected	—
`0`	unaffected	< 4.1
`6.6.136`	unaffected	≤ 6.6.*
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[514ac99c64b22d83b52dfee3b8becaa69a92bc4a,5e9cfffad898bbeaafd0ea608a6d267362f050fc)`	affected	code_commit	—
`[514ac99c64b22d83b52dfee3b8becaa69a92bc4a,572f0bf536ebc14f6e7da3d21a85cf076de8358e)`	affected	code_commit	—
`[514ac99c64b22d83b52dfee3b8becaa69a92bc4a,1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0)`	affected	code_commit	—
`[514ac99c64b22d83b52dfee3b8becaa69a92bc4a,7201a531b9a5ed892bfda5ded9194ef622de8ffa)`	affected	code_commit	—
`[514ac99c64b22d83b52dfee3b8becaa69a92bc4a,34c1741254ff972e8375faf176678a248826fe3a)`	affected	code_commit	—
`[514ac99c64b22d83b52dfee3b8becaa69a92bc4a,a535a9217ca3f2fccedaafb2fddb4c48f27d36dc)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.1`	affected	generic	—
`[0,4.1)`	unaffected	semver	—
`[6.6.136,6.7.0)`	unaffected	semver	—
`[6.12.83,6.13.0)`	unaffected	semver	—
`[6.18.24,6.19.0)`	unaffected	semver	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0.1,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that contains the committed patch fixing the use‑after‑free in the raw CAN path.
If the kernel cannot be updated immediately, unload or disable the can_raw module and remove CAN raw support from the system configuration.
Limit access to CAN interfaces to trusted users or processes, for example by configuring appropriate udev rules and file permissions so that only privileged users can create or manipulate raw sockets.

Generated by OpenCVE AI on April 29, 2026 at 17:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0
https://git.kernel.org/stable/c/34c1741254ff972e8375faf176678a248826fe3a
https://git.kernel.org/stable/c/572f0bf536ebc14f6e7da3d21a85cf076de8358e
https://git.kernel.org/stable/c/5e9cfffad898bbeaafd0ea608a6d267362f050fc
https://git.kernel.org/stable/c/7201a531b9a5ed892bfda5ded9194ef622de8ffa
https://git.kernel.org/stable/c/a535a9217ca3f2fccedaafb2fddb4c48f27d36dc
https://lore.kernel.org/linux-cve-announce/2026042349-CVE-2026-31532-a820@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31532
https://www.cve.org/CVERecord?id=CVE-2026-31532

History

Wed, 29 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Mon, 27 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/5e9cfffad898bbeaafd0ea608a6d267362f050fc

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/a535a9217ca3f2fccedaafb2fddb4c48f27d36dc

Fri, 24 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-366
References		https://lore.kernel.org/linux-cve-announce/2026042349-CVE-2026-31532-a820@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31532 https://www.cve.org/CVERecord?id=CVE-2026-31532
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Thu, 23 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: can: raw: fix ro->uniq use-after-free in raw_rcv() raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This leaves a window where raw_rcv() may still be running in an RCU read-side critical section after raw_release() frees ro->uniq, leading to a use-after-free of the percpu uniq storage. Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific socket destructor. can_rx_unregister() takes an extra reference to the socket and only drops it from the RCU callback, so freeing uniq from sk_destruct ensures the percpu area is not released until the relevant callbacks have drained. [mkl: applied manually]
Title		can: raw: fix ro->uniq use-after-free in raw_rcv()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0 https://git.kernel.org/stable/c/34c1741254ff972e8375faf176678a248826fe3a https://git.kernel.org/stable/c/572f0bf536ebc14f6e7da3d21a85cf076de8358e https://git.kernel.org/stable/c/7201a531b9a5ed892bfda5ded9194ef622de8ffa

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-23T11:12:44.829Z

Updated: 2026-05-11T22:10:37.048Z

Reserved: 2026-03-09T15:48:24.112Z

Link: CVE-2026-31532

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-23T12:17:01.927

Modified: 2026-04-29T15:26:27.230

Link: CVE-2026-31532

Redhat

Severity : Important

Publid Date: 2026-04-23T00:00:00Z

Links: CVE-2026-31532 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-29T17:30:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object