Skip to main content

Linux Kernel EUVDEUVD-2026-24827

| CVE-2026-31474 HIGH
Use After Free (CWE-416)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-6p7x-c5rv-9w7v
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 23:37 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 23:27 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 14:31 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24827
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

can: isotp: fix tx.buf use-after-free in isotp_sendmsg()

isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access to so->tx.buf. isotp_release() waits for ISOTP_IDLE via wait_event_interruptible() and then calls kfree(so->tx.buf).

If a signal interrupts the wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the loop exits early and release proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) while sendmsg may still be reading so->tx.buf for the final CAN frame in isotp_fill_dataframe().

The so->tx.buf can be allocated once when the standard tx.buf length needs to be extended. Move the kfree() of this potentially extended tx.buf to sk_destruct time when either isotp_sendmsg() and isotp_release() are done.

AnalysisAI

Use-after-free in Linux kernel ISO-TP CAN protocol driver allows local authenticated users to read freed memory, corrupt kernel state, or execute arbitrary code with kernel privileges. Affects kernels from commit 96d1c81e to 6.6.131, 6.12.80, 6.18.21, and 6.19.11. Vendor-released patches available across stable kernel branches. EPSS score 0.02% (5th percentile) indicates low probability of mass exploitation, and no public exploit identified at time of analysis, though CVSS 7.8 reflects high local privilege escalation potential if successfully exploited.

Technical ContextAI

The vulnerability exists in the Linux kernel's ISO-TP (ISO 15765-2) Controller Area Network (CAN) protocol implementation, specifically in the socket transmission buffer management between isotp_sendmsg() and isotp_release() functions. The code uses compare-and-exchange (cmpxchg) for lock-free synchronization of so->tx.state but fails to protect the so->tx.buf memory allocation itself. When wait_event_interruptible() in isotp_release() receives a signal during ISOTP_SENDING state, the wait loop exits prematurely, allowing kfree(so->tx.buf) to execute while isotp_sendmsg() may still access the buffer in isotp_fill_dataframe(). This race condition creates a classic use-after-free scenario where one thread frees memory that another thread continues to reference. The ISO-TP protocol is used in automotive and industrial CAN bus communications for segmented message transmission, making this buffer particularly critical for maintaining multi-frame message integrity. The vulnerability demonstrates insufficient synchronization between socket lifecycle operations (close) and ongoing I/O operations (send), a common pattern in kernel socket implementations that require careful temporal coupling between resource deallocation and active users.

RemediationAI

Upgrade to patched Linux kernel versions: 6.6.131 or later for 6.6.x series, 6.12.80 or later for 6.12.x series, 6.18.21 or later for 6.18.x series, 6.19.11 or later for 6.19.x series, or version 7.0 or later for mainline. Patches move the kfree(so->tx.buf) call from isotp_release() to sk_destruct time, ensuring buffer is only freed after both sendmsg and release operations complete. Upstream fixes available at git.kernel.org/stable commits 424e95d62110cdbc8fd12b40918f37e408e35a92, cb3d6efa78460e6d50bf68806d0db66265709f64, eec8a1b18a79600bd4419079dc0026c1db72a830, 9649d051e54413049c009638ec1dc23962c884a4, and 2e62e7051eca75a7f2e3d52d62ec10d7d7aa358c. If immediate patching is not feasible for automotive/embedded systems, unload the can-isotp kernel module with 'rmmod can_isotp' if ISO-TP functionality is not required, preventing exploitation but disabling ISO 15765-2 CAN communication capabilities. Restrict local user access to systems with CAN hardware as compensating control, though this does not eliminate risk in multi-user environments. Note that module unloading will break applications depending on ISO-TP sockets and may impact vehicle diagnostics, OBD-II tools, or industrial automation protocols.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24827 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy