can: raw: fix ro->uniq use-after-free in raw_rcv()

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-31532
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-04-23 12:17:01 UTC
Updated2026-04-23 12:17:01 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: can: raw: fix ro->uniq use-after-free in raw_rcv() raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This leaves a window where raw_rcv() may still be running in an RCU read-side critical section after raw_release() frees ro->uniq, leading to a use-after-free of the percpu uniq storage. Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific socket destructor. can_rx_unregister() takes an extra reference to the socket and only drops it from the RCU callback, so freeing uniq from sk_destruct ensures the percpu area is not released until the relevant callbacks have drained. [mkl: applied manually]

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 572f0bf536ebc14f6e7da3d21a85cf076de8358e git Not specified
CNA Linux Linux affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0 git Not specified
CNA Linux Linux affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 7201a531b9a5ed892bfda5ded9194ef622de8ffa git Not specified
CNA Linux Linux affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 34c1741254ff972e8375faf176678a248826fe3a git Not specified
CNA Linux Linux unaffected 6.12.83 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.24 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19.14 6.19.* semver Not specified
CNA Linux Linux unaffected 7.0.1 7.0.* semver Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/572f0bf536ebc14f6e7da3d21a85cf076de8358e 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/7201a531b9a5ed892bfda5ded9194ef622de8ffa 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/34c1741254ff972e8375faf176678a248826fe3a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report