CVE-2026-31474

EPSS 0.01%
Veröffentlicht 22.04.2026 14:16:44
Zuletzt bearbeitet 27.04.2026 23:27:13
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

can: isotp: fix tx.buf use-after-free in isotp_sendmsg()

In the Linux kernel, the following vulnerability has been resolved:

can: isotp: fix tx.buf use-after-free in isotp_sendmsg()

isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access
to so->tx.buf. isotp_release() waits for ISOTP_IDLE via
wait_event_interruptible() and then calls kfree(so->tx.buf).

If a signal interrupts the wait_event_interruptible() inside close()
while tx.state is ISOTP_SENDING, the loop exits early and release
proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf)
while sendmsg may still be reading so->tx.buf for the final CAN frame
in isotp_fill_dataframe().

The so->tx.buf can be allocated once when the standard tx.buf length needs
to be extended. Move the kfree() of this potentially extended tx.buf to
sk_destruct time when either isotp_sendmsg() and isotp_release() are done.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

NVD 12 VulnDex Vulnerability Enrichment 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 6.4.1 < 6.6.131

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.80

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.21

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.11

Linux ≫ Linux Kernel Version6.4 Update-

Linux ≫ Linux Kernel Version7.0 Updaterc1

Linux ≫ Linux Kernel Version7.0 Updaterc2

Linux ≫ Linux Kernel Version7.0 Updaterc3

Linux ≫ Linux Kernel Version7.0 Updaterc4

Linux ≫ Linux Kernel Version7.0 Updaterc5

Linux ≫ Linux Kernel Version7.0 Updaterc6

Linux ≫ Linux Kernel Version7.0 Updaterc7

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.024

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/2e62e7051eca75a7f2e3d52d62ec10d7d7aa358c

Patch

https://git.kernel.org/stable/c/424e95d62110cdbc8fd12b40918f37e408e35a92

Patch

https://git.kernel.org/stable/c/9649d051e54413049c009638ec1dc23962c884a4

Patch

https://git.kernel.org/stable/c/cb3d6efa78460e6d50bf68806d0db66265709f64

Patch

https://git.kernel.org/stable/c/eec8a1b18a79600bd4419079dc0026c1db72a830

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-31474

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-31474

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-31474

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-31474