Linux kernel CAN raw socket UAF via RCU deferred deletion: CVE-2026-31532 April 2026

Linux kernel CAN raw socket UAF via RCU deferred deletion
CVE-2026-31532 Published on April 23, 2026

can: raw: fix ro->uniq use-after-free in raw_rcv()
In the Linux kernel, the following vulnerability has been resolved: can: raw: fix ro->uniq use-after-free in raw_rcv() raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This leaves a window where raw_rcv() may still be running in an RCU read-side critical section after raw_release() frees ro->uniq, leading to a use-after-free of the percpu uniq storage. Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific socket destructor. can_rx_unregister() takes an extra reference to the socket and only drops it from the RCU callback, so freeing uniq from sk_destruct ensures the percpu area is not released until the relevant callbacks have drained. [mkl: applied manually]

Products Associated with CVE-2026-31532

Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.

Affected Versions

Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 572f0bf536ebc14f6e7da3d21a85cf076de8358e is affected.

Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0 is affected.

Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 7201a531b9a5ed892bfda5ded9194ef622de8ffa is affected.

Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 34c1741254ff972e8375faf176678a248826fe3a is affected.

Version 6.12.83, <= 6.12.* is unaffected.

Version 6.18.24, <= 6.18.* is unaffected.

Version 6.19.14, <= 6.19.* is unaffected.

Version 7.0.1, <= 7.0.* is unaffected.

Linux kernel CAN raw socket UAF via RCU deferred deletionCVE-2026-31532 Published on April 23, 2026

Products Associated with CVE-2026-31532

Affected Versions

Linux kernel CAN raw socket UAF via RCU deferred deletion
CVE-2026-31532 Published on April 23, 2026