Skip to main content

Linux Kernel EUVDEUVD-2026-25219

| CVE-2026-31532 HIGH
Use After Free (CWE-416)
2026-04-23 Linux GHSA-7w6x-pfmg-76xx
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 29, 2026 - 15:52 vuln.today
cvss_changed
Patch released
Apr 29, 2026 - 15:26 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:27 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 23, 2026 - 13:16 EUVD
EUVD ID Assigned
Apr 23, 2026 - 11:30 euvd
EUVD-2026-25219
Analysis Generated
Apr 23, 2026 - 11:30 vuln.today
CVE Published
Apr 23, 2026 - 11:12 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

can: raw: fix ro->uniq use-after-free in raw_rcv()

raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This leaves a window where raw_rcv() may still be running in an RCU read-side critical section after raw_release() frees ro->uniq, leading to a use-after-free of the percpu uniq storage.

Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific socket destructor. can_rx_unregister() takes an extra reference to the socket and only drops it from the RCU callback, so freeing uniq from sk_destruct ensures the percpu area is not released until the relevant callbacks have drained.

[mkl: applied manually]

AnalysisAI

Use-after-free in Linux kernel CAN raw socket implementation allows local authenticated attackers to corrupt memory and potentially achieve code execution. The vulnerability stems from premature deallocation of percpu uniq storage in raw_release() while raw_rcv() may still access it via deferred RCU callbacks. Patches available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS exploitation probability remains low (0.02%, 5th percentile) with no active exploitation confirmed at time of analysis.

Technical ContextAI

This vulnerability affects the Controller Area Network (CAN) raw socket implementation in the Linux kernel networking stack. CAN is an embedded system protocol used extensively in automotive and industrial control systems. The flaw involves improper synchronization between socket cleanup (raw_release) and packet reception (raw_rcv). The raw socket code uses Read-Copy-Update (RCU) for lock-free access to receiver filters, and percpu variables for performance optimization. When raw_release() calls can_rx_unregister() to remove receive filters, the actual deletion is deferred via call_rcu(), but the original code immediately freed the ro->uniq percpu storage with free_percpu(). This creates a race condition where raw_rcv() running in an RCU read-side critical section can access freed memory. The fix moves free_percpu() into a socket destructor (sk_destruct), ensuring the percpu area persists until all RCU callbacks drain. This vulnerability represents a classic time-of-check-time-of-use (TOCTOU) race in resource lifecycle management within a concurrent system.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.83, 6.18.24, 6.19.14, or 7.0.1 and later within respective stable branches. Patch commits are available at kernel.org stable tree (https://git.kernel.org/stable/c/572f0bf536ebc14f6e7da3d21a85cf076de8358e for 6.12 branch, https://git.kernel.org/stable/c/1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0 for 6.18, https://git.kernel.org/stable/c/7201a531b9a5ed892bfda5ded9194ef622de8ffa for 6.19, https://git.kernel.org/stable/c/34c1741254ff972e8375faf176678a248826fe3a for 7.0). If immediate patching is not feasible for CAN-enabled systems, disable CAN raw socket support by blacklisting the can-raw kernel module (echo 'blacklist can-raw' >> /etc/modprobe.d/blacklist.conf and unload with rmmod can-raw). This prevents userspace from creating vulnerable raw CAN sockets but breaks legitimate CAN applications relying on raw socket access. Alternatively, restrict access to CAN socket creation via AppArmor or SELinux policies limiting CAP_NET_RAW capability to trusted processes only, though this does not eliminate the vulnerability for authorized CAN applications. For non-CAN systems (verify with lsmod | grep can), risk is negligible and this becomes low-priority patch scheduling.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-25219 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy