Use-After-Free Vulnerability in Linux Kernel Affecting CAN Raw Socket
CVE-2026-31532

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-31532?

A use-after-free vulnerability exists in the Linux kernel within the CAN raw socket implementation. When the raw_release() function unregisters raw CAN receive filters through can_rx_unregister(), a race condition is created due to deferred receiver deletion using call_rcu(). This design flaw can allow raw_rcv() to execute within an RCU read-side critical section even after raw_release() has freed the associated unique storage, resulting in unsafe access to freed memory. The proper fix involves relocating the freeing of per-cpu storage to a dedicated socket destructor, ensuring that the memory remains valid until all callbacks have completed.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 572f0bf536ebc14f6e7da3d21a85cf076de8358e

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 7201a531b9a5ed892bfda5ded9194ef622de8ffa

References

https://git.kernel.org/stable/c/572f0bf536ebc14f6e7da3d21...

https://git.kernel.org/stable/c/1a0f2de81f7fbdc538fc72d7d...

https://git.kernel.org/stable/c/7201a531b9a5ed892bfda5ded...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31532 Data

JSON