CVE-2026-31474
Published: 22 April 2026
Summary
CVE-2026-31474 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-31474 is a use-after-free vulnerability in the Linux kernel's Controller Area Network (CAN) ISO-TP protocol implementation. Specifically, the issue affects the isotp_sendmsg() function, which relies solely on cmpxchg() on so->tx.state for serializing access to so->tx.buf. Meanwhile, isotp_release() waits for ISOTP_IDLE using wait_event_interruptible() before calling kfree(so->tx.buf). A signal interrupting this wait during close(), when tx.state is ISOTP_SENDING, can cause early loop exit, forcing ISOTP_SHUTDOWN and freeing so->tx.buf while isotp_sendmsg() may still be reading it in isotp_fill_dataframe() for the final CAN frame. The tx.buf may have been extended once for larger standard lengths. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-416.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Exploitation involves triggering the race condition between sendmsg and release operations on an ISO-TP socket, potentially leading to use-after-free of tx.buf. Successful exploitation could allow the attacker to achieve high impacts on confidentiality, integrity, and availability, such as arbitrary code execution, data corruption, or kernel crashes within the context of the affected process.
Mitigation requires applying the relevant Linux kernel stable patches, as detailed in the upstream commit references. The fix relocates the kfree() of the potentially extended tx.buf to sk_destruct() timing, ensuring it occurs only after both isotp_sendmsg() and isotp_release() have completed, thereby preventing the use-after-free race. Security practitioners should update to kernels incorporating these commits (e.g., 2e62e7051eca, 424e95d62110, 9649d051e544, cb3d6efa7846, eec8a1b18a79) and monitor for affected CAN/ISO-TP usage in automotive or industrial environments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24827
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix tx.buf use-after-free in isotp_sendmsg() isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access to so->tx.buf. isotp_release() waits for ISOTP_IDLE via wait_event_interruptible() and then calls kfree(so->tx.buf). If a…
more
signal interrupts the wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the loop exits early and release proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) while sendmsg may still be reading so->tx.buf for the final CAN frame in isotp_fill_dataframe(). The so->tx.buf can be allocated once when the standard tx.buf length needs to be extended. Move the kfree() of this potentially extended tx.buf to sk_destruct time when either isotp_sendmsg() and isotp_release() are done.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in isotp_sendmsg/isotp_release allows low-priv user to trigger race for arbitrary code execution or kernel compromise, directly enabling exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching of the use-after-free vulnerability in the Linux kernel's ISO-TP implementation to eliminate the race condition between isotp_sendmsg() and isotp_release().
Provides memory safeguards like address space layout randomization and data execution prevention that mitigate exploitation of the kernel use-after-free in tx.buf.
Restricts unnecessary kernel modules such as CAN ISO-TP to least functionality, preventing exposure to the socket race condition if not operationally required.