CVE-2026-31532
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: can: raw: fix ro->uniq use-after-free in raw_rcv() raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This leaves a window where raw_rcv() may still be running in an RCU read-side critical section after raw_release() frees ro->uniq, leading to a use-after-free of the percpu uniq storage. Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific socket destructor. can_rx_unregister() takes an extra reference to the socket and only drops it from the RCU callback, so freeing uniq from sk_destruct ensures the percpu area is not released until the relevant callbacks have drained. [mkl: applied manually]
CVSS Metrics
- v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 0.02%• Percentile: 4%
Techniques & Countermeasures
- CWE-416•Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Affected Systems
- linux•linux
≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 572f0bf536ebc14f6e7da3d21a85cf076de8358e | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0 | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 7201a531b9a5ed892bfda5ded9194ef622de8ffa | ≥ 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2, < 34c1741254ff972e8375faf176678a248826fe3a | ≥ 514ac99c64b22d83b52dfee3b8becaa69a92bc4a, < 1de30576a6dfeaaa27ef91fa272e6b9240b6fbd3 | ≥ 514ac99c64b22d83b52dfee3b8becaa69a92bc4a, < 64c8553decf5a5f2417bd54761ea0a832c56c4ca | ≥ 514ac99c64b22d83b52dfee3b8becaa69a92bc4a, < 3f43f12fde34737fba091b7e3ab391e14ddbb0be | ≥ 514ac99c64b22d83b52dfee3b8becaa69a92bc4a, < 5e9cfffad898bbeaafd0ea608a6d267362f050fc | ≥ 514ac99c64b22d83b52dfee3b8becaa69a92bc4a, < 572f0bf536ebc14f6e7da3d21a85cf076de8358e | ≥ 514ac99c64b22d83b52dfee3b8becaa69a92bc4a, < 1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0 | ≥ 514ac99c64b22d83b52dfee3b8becaa69a92bc4a, < 7201a531b9a5ed892bfda5ded9194ef622de8ffa | ≥ 514ac99c64b22d83b52dfee3b8becaa69a92bc4a, < 34c1741254ff972e8375faf176678a248826fe3a | ≥ 514ac99c64b22d83b52dfee3b8becaa69a92bc4a, < a535a9217ca3f2fccedaafb2fddb4c48f27d36dc | 4.1
- linux•linux_kernel
≥ 4.1, ≤ 6.6.136 | ≥ 6.7, < 6.12.83 | ≥ 6.18, < 6.18.24 | ≥ 6.19, < 6.19.14 | ≥ 7.0, < 7.0.1
References (9)
- https://git.kernel.org/stable/c/572f0bf536ebc14f6e7da3d21a85cf076de8358e
- https://git.kernel.org/stable/c/1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0
- https://git.kernel.org/stable/c/7201a531b9a5ed892bfda5ded9194ef622de8ffa
- https://git.kernel.org/stable/c/34c1741254ff972e8375faf176678a248826fe3a
- https://git.kernel.org/stable/c/a535a9217ca3f2fccedaafb2fddb4c48f27d36dc
- https://git.kernel.org/stable/c/5e9cfffad898bbeaafd0ea608a6d267362f050fc
- https://git.kernel.org/stable/c/1de30576a6dfeaaa27ef91fa272e6b9240b6fbd3
- https://git.kernel.org/stable/c/64c8553decf5a5f2417bd54761ea0a832c56c4ca
- https://git.kernel.org/stable/c/3f43f12fde34737fba091b7e3ab391e14ddbb0be