7.8
CVE-2026-31474
- EPSS 0.1%
- Veröffentlicht 22.04.2026 14:16:44
- Zuletzt bearbeitet 30.06.2026 03:18:25
- CVE-Watchlists
- Unerledigt
can: isotp: fix tx.buf use-after-free in isotp_sendmsg()
In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix tx.buf use-after-free in isotp_sendmsg() isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access to so->tx.buf. isotp_release() waits for ISOTP_IDLE via wait_event_interruptible() and then calls kfree(so->tx.buf). If a signal interrupts the wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the loop exits early and release proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) while sendmsg may still be reading so->tx.buf for the final CAN frame in isotp_fill_dataframe(). The so->tx.buf can be allocated once when the standard tx.buf length needs to be extended. Move the kfree() of this potentially extended tx.buf to sk_destruct time when either isotp_sendmsg() and isotp_release() are done.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 6.4.1 < 6.6.131
Linux ≫ Linux Kernel Version >= 6.7 < 6.12.80
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.21
Linux ≫ Linux Kernel Version >= 6.19 < 6.19.11
Linux ≫ Linux Kernel Version6.4 Update-
Linux ≫ Linux Kernel Version7.0 Updaterc1
Linux ≫ Linux Kernel Version7.0 Updaterc2
Linux ≫ Linux Kernel Version7.0 Updaterc3
Linux ≫ Linux Kernel Version7.0 Updaterc4
Linux ≫ Linux Kernel Version7.0 Updaterc5
Linux ≫ Linux Kernel Version7.0 Updaterc6
Linux ≫ Linux Kernel Version7.0 Updaterc7
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.1% | 0.012 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-364 Signal Handler Race Condition
The product uses a signal handler that introduces a race condition.
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/2e62e7051eca75a7f2e3d52d62ec10d7d7aa358c
https://git.kernel.org/stable/c/424e95d62110cdbc8fd12b40918f37e408e35a92
https://git.kernel.org/stable/c/9649d051e54413049c009638ec1dc23962c884a4
https://git.kernel.org/stable/c/cb3d6efa78460e6d50bf68806d0db66265709f64
https://git.kernel.org/stable/c/eec8a1b18a79600bd4419079dc0026c1db72a830
https://access.redhat.com/errata/RHSA-2026:27288
https://access.redhat.com/errata/RHSA-2026:27731
https://access.redhat.com/errata/RHSA-2026:27789
https://access.redhat.com/security/cve/CVE-2026-31474
https://bugzilla.redhat.com/show_bug.cgi?id=2460646
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31474.json