CVE-2026-31532
Published: 23 April 2026
Summary
CVE-2026-31532 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the use-after-free vulnerability in the Linux kernel's CAN raw socket implementation through application of vendor patches.
Implements memory protection mechanisms such as kernel address space layout randomization and supervisor mode execution prevention to mitigate exploitation of the use-after-free race condition.
Enables vulnerability scanning to identify systems affected by CVE-2026-31532 based on kernel version and configuration.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel use-after-free in CAN raw sockets enables privilege escalation via memory corruption and arbitrary code execution from low-privileged context (AV:L/PR:L).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: can: raw: fix ro->uniq use-after-free in raw_rcv() raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This leaves a window where raw_rcv() may still…
more
be running in an RCU read-side critical section after raw_release() frees ro->uniq, leading to a use-after-free of the percpu uniq storage. Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific socket destructor. can_rx_unregister() takes an extra reference to the socket and only drops it from the RCU callback, so freeing uniq from sk_destruct ensures the percpu area is not released until the relevant callbacks have drained. [mkl: applied manually]
Deeper analysisAI
CVE-2026-31532 is a use-after-free vulnerability (CWE-416) in the Linux kernel's CAN raw socket implementation. The flaw arises in raw_rcv(), where raw_release() unregisters CAN receive filters via can_rx_unregister(), which defers deletion using call_rcu(). This creates a race condition allowing raw_rcv() to access ro->uniq percpu storage after it has been freed, during an RCU read-side critical section.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L), local access (AV:L), and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 7.8 (C:H/I:H/A:H/S:U). Exploitation could grant high impacts to confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data corruption, or denial of service through kernel memory corruption.
Mitigation involves applying kernel patches that relocate free_percpu(ro->uniq) from raw_release() to a raw-specific socket destructor (sk_destruct). This ensures the percpu area is freed only after can_rx_unregister()'s extra socket reference is dropped and RCU callbacks drain. Relevant stable branch commits include: https://git.kernel.org/stable/c/1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0, https://git.kernel.org/stable/c/34c1741254ff972e8375faf176678a248826fe3a, https://git.kernel.org/stable/c/572f0bf536ebc14f6e7da3d21a85cf076de8358e, https://git.kernel.org/stable/c/5e9cfffad898bbeaafd0ea608a6d267362f050fc, and https://git.kernel.org/stable/c/7201a531b9a5ed892bfda5ded9194ef622de8ffa.
Details
- CWE(s)