CVE-2026-31532

EPSS 0.01%
Veröffentlicht 23.04.2026 11:12:44
Zuletzt bearbeitet 29.04.2026 15:26:27
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

can: raw: fix ro->uniq use-after-free in raw_rcv()

In the Linux kernel, the following vulnerability has been resolved:

can: raw: fix ro->uniq use-after-free in raw_rcv()

raw_release() unregisters raw CAN receive filters via can_rx_unregister(),
but receiver deletion is deferred with call_rcu(). This leaves a window
where raw_rcv() may still be running in an RCU read-side critical section
after raw_release() frees ro->uniq, leading to a use-after-free of the
percpu uniq storage.

Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific
socket destructor. can_rx_unregister() takes an extra reference to the
socket and only drops it from the RCU callback, so freeing uniq from
sk_destruct ensures the percpu area is not released until the relevant
callbacks have drained.

[mkl: applied manually]

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 9

NVD 5 VulnDex Vulnerability Enrichment 13

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 4.1 <= 6.6.136

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.83

Linux ≫ Linux Kernel Version >= 6.18 < 6.18.24

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.14

Linux ≫ Linux Kernel Version >= 7.0 < 7.0.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.024

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
416baaa9-dc9f-4396-8d5f-8c081fb06d67	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/572f0bf536ebc14f6e7da3d21a85cf076de8358e

Patch

https://git.kernel.org/stable/c/1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0

Patch

https://git.kernel.org/stable/c/7201a531b9a5ed892bfda5ded9194ef622de8ffa

Patch

https://git.kernel.org/stable/c/34c1741254ff972e8375faf176678a248826fe3a

Patch

https://git.kernel.org/stable/c/a535a9217ca3f2fccedaafb2fddb4c48f27d36dc

Patch

https://git.kernel.org/stable/c/5e9cfffad898bbeaafd0ea608a6d267362f050fc

Patch