CVE-2026-31474

HIGH EPSS 2.6%
Published Apr 22, 20262mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 22, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix tx.buf use-after-free in isotp_sendmsg() isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access to so->tx.buf. isotp_release() waits for ISOTP_IDLE via wait_event_interruptible() and then calls kfree(so->tx.buf). If a signal interrupts the wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the loop exits early and release proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) while sendmsg may still be reading so->tx.buf for the final CAN frame in isotp_fill_dataframe(). The so->tx.buf can be allocated once when the standard tx.buf length needs to be extended. Move the kfree() of this potentially extended tx.buf to sk_destruct time when either isotp_sendmsg() and isotp_release() are done.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 12

VendorProductVersionRange
linuxlinux_kernel*≥6.4.1  –  <6.6.131
linuxlinux_kernel*≥6.7  –  <6.12.80
linuxlinux_kernel*≥6.13  –  <6.18.21
linuxlinux_kernel*≥6.19  –  <6.19.11
linuxlinux_kernel6.4any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 5

  • git.kernel.org https://git.kernel.org/stable/c/2e62e7051eca75a7f2e3d52d62ec10d7d7aa358c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/424e95d62110cdbc8fd12b40918f37e408e35a92
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9649d051e54413049c009638ec1dc23962c884a4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cb3d6efa78460e6d50bf68806d0db66265709f64
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/eec8a1b18a79600bd4419079dc0026c1db72a830
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/2e62e7051eca75a7f2e3d52d62ec10d7d7aa358c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/424e95d62110cdbc8fd12b40918f37e408e35a92
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9649d051e54413049c009638ec1dc23962c884a4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cb3d6efa78460e6d50bf68806d0db66265709f64
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/eec8a1b18a79600bd4419079dc0026c1db72a830
    Patch