Cyber Resilience

CVE-2026-31474

High

Published: 22 April 2026

Published
22 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31474 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-31474 is a use-after-free vulnerability in the Linux kernel's Controller Area Network (CAN) ISO-TP protocol implementation. Specifically, the issue affects the isotp_sendmsg() function, which relies solely on cmpxchg() on so->tx.state for serializing access to so->tx.buf. Meanwhile, isotp_release() waits for ISOTP_IDLE using wait_event_interruptible() before calling kfree(so->tx.buf). A signal interrupting this wait during close(), when tx.state is ISOTP_SENDING, can cause early loop exit, forcing ISOTP_SHUTDOWN and freeing so->tx.buf while isotp_sendmsg() may still be reading it in isotp_fill_dataframe() for the final CAN frame. The tx.buf may have been extended once for larger standard lengths. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-416.

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Exploitation involves triggering the race condition between sendmsg and release operations on an ISO-TP socket, potentially leading to use-after-free of tx.buf. Successful exploitation could allow the attacker to achieve high impacts on confidentiality, integrity, and availability, such as arbitrary code execution, data corruption, or kernel crashes within the context of the affected process.

Mitigation requires applying the relevant Linux kernel stable patches, as detailed in the upstream commit references. The fix relocates the kfree() of the potentially extended tx.buf to sk_destruct() timing, ensuring it occurs only after both isotp_sendmsg() and isotp_release() have completed, thereby preventing the use-after-free race. Security practitioners should update to kernels incorporating these commits (e.g., 2e62e7051eca, 424e95d62110, 9649d051e544, cb3d6efa7846, eec8a1b18a79) and monitor for affected CAN/ISO-TP usage in automotive or industrial environments.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix tx.buf use-after-free in isotp_sendmsg() isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access to so->tx.buf. isotp_release() waits for ISOTP_IDLE via wait_event_interruptible() and then calls kfree(so->tx.buf). If a…

more

signal interrupts the wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the loop exits early and release proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) while sendmsg may still be reading so->tx.buf for the final CAN frame in isotp_fill_dataframe(). The so->tx.buf can be allocated once when the standard tx.buf length needs to be extended. Move the kfree() of this potentially extended tx.buf to sk_destruct time when either isotp_sendmsg() and isotp_release() are done.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in isotp_sendmsg/isotp_release allows low-priv user to trigger race for arbitrary code execution or kernel compromise, directly enabling exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.4, 7.0 · 6.4.1 — 6.6.131 · 6.7 — 6.12.80 · 6.13 — 6.18.21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of the use-after-free vulnerability in the Linux kernel's ISO-TP implementation to eliminate the race condition between isotp_sendmsg() and isotp_release().

prevent

Provides memory safeguards like address space layout randomization and data execution prevention that mitigate exploitation of the kernel use-after-free in tx.buf.

prevent

Restricts unnecessary kernel modules such as CAN ISO-TP to least functionality, preventing exposure to the socket race condition if not operationally required.

References