{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31474", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.098Z", "datePublished": "2026-04-22T13:54:03.100Z", "dateUpdated": "2026-04-22T13:54:03.100Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:54:03.100Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: fix tx.buf use-after-free in isotp_sendmsg()\n\nisotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access\nto so->tx.buf. isotp_release() waits for ISOTP_IDLE via\nwait_event_interruptible() and then calls kfree(so->tx.buf).\n\nIf a signal interrupts the wait_event_interruptible() inside close()\nwhile tx.state is ISOTP_SENDING, the loop exits early and release\nproceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf)\nwhile sendmsg may still be reading so->tx.buf for the final CAN frame\nin isotp_fill_dataframe().\n\nThe so->tx.buf can be allocated once when the standard tx.buf length needs\nto be extended. Move the kfree() of this potentially extended tx.buf to\nsk_destruct time when either isotp_sendmsg() and isotp_release() are done."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/can/isotp.c"], "versions": [{"version": "96d1c81e6a0478535342dff6c730adb076cd84e8", "lessThan": "cb3d6efa78460e6d50bf68806d0db66265709f64", "status": "affected", "versionType": "git"}, {"version": "96d1c81e6a0478535342dff6c730adb076cd84e8", "lessThan": "9649d051e54413049c009638ec1dc23962c884a4", "status": "affected", "versionType": "git"}, {"version": "96d1c81e6a0478535342dff6c730adb076cd84e8", "lessThan": "eec8a1b18a79600bd4419079dc0026c1db72a830", "status": "affected", "versionType": "git"}, {"version": "96d1c81e6a0478535342dff6c730adb076cd84e8", "lessThan": "2e62e7051eca75a7f2e3d52d62ec10d7d7aa358c", "status": "affected", "versionType": "git"}, {"version": "96d1c81e6a0478535342dff6c730adb076cd84e8", "lessThan": "424e95d62110cdbc8fd12b40918f37e408e35a92", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/can/isotp.c"], "versions": [{"version": "6.4", "status": "affected"}, {"version": "0", "lessThan": "6.4", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/cb3d6efa78460e6d50bf68806d0db66265709f64"}, {"url": "https://git.kernel.org/stable/c/9649d051e54413049c009638ec1dc23962c884a4"}, {"url": "https://git.kernel.org/stable/c/eec8a1b18a79600bd4419079dc0026c1db72a830"}, {"url": "https://git.kernel.org/stable/c/2e62e7051eca75a7f2e3d52d62ec10d7d7aa358c"}, {"url": "https://git.kernel.org/stable/c/424e95d62110cdbc8fd12b40918f37e408e35a92"}], "title": "can: isotp: fix tx.buf use-after-free in isotp_sendmsg()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: fix tx.buf use-after-free in isotp_sendmsg()\n\nisotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access\nto so->tx.buf. isotp_release() waits for ISOTP_IDLE via\nwait_event_interruptible() and then calls kfree(so->tx.buf).\n\nIf a signal interrupts the wait_event_interruptible() inside close()\nwhile tx.state is ISOTP_SENDING, the loop exits early and release\nproceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf)\nwhile sendmsg may still be reading so->tx.buf for the final CAN frame\nin isotp_fill_dataframe().\n\nThe so->tx.buf can be allocated once when the standard tx.buf length needs\nto be extended. Move the kfree() of this potentially extended tx.buf to\nsk_destruct time when either isotp_sendmsg() and isotp_release() are done."}], "id": "CVE-2026-31474", "lastModified": "2026-04-22T14:16:44.053", "metrics": {}, "published": "2026-04-22T14:16:44.053", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2e62e7051eca75a7f2e3d52d62ec10d7d7aa358c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/424e95d62110cdbc8fd12b40918f37e408e35a92"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9649d051e54413049c009638ec1dc23962c884a4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cb3d6efa78460e6d50bf68806d0db66265709f64"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/eec8a1b18a79600bd4419079dc0026c1db72a830"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T18:56:50.335356+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the patch for the ISO\u2011TP sendmsg use\u2011after\u2011free bug", "Reboot the system after upgrading to ensure the new kernel is running", "If an immediate upgrade is not possible, consider disabling the ISO\u2011TP functionality in the CAN network stack or isolating CAN devices until a patched kernel is available"], "summary": {"action": "Immediate Patch", "impact": "Use\u2011After\u2011Free in Linux CAN ISO\u2011TP driver"}, "threat_synthesis": {"affected_systems": "All Linux kernel installations that include the problematic CAN ISO\u2011TP driver are potentially vulnerable; the CVE does not specify particular kernel releases, and the list of affected versions is not provided in the vendor data.", "description_and_impact": "The CVE involves a use\u2011after\u2011free flaw in the Linux kernel's CAN ISO\u2011TP driver. When a close operation is interrupted by a signal while a transmission is in progress, the driver may free the transmission buffer before the sending routine has finished using it. This exposes corrupted memory references that could lead to a kernel crash, data corruption, or a denial\u2011of\u2011service condition for the affected system.", "risk_and_exploitability": "The vulnerability is limited to kernel space and requires local or remote code execution that can trigger the close path with an interrupting signal. While no exploit proof\u2011of\u2011concepts have been reported, the use\u2011after\u2011free could be leveraged to crash the system or perform memory corruption. Because the exploit requires precise timing of an interrupt during a close operation, the probability of successful exploitation is unclear, and the EPSS score is not available. Nevertheless, the vulnerability is listed in the kernel source, and the recommendation is to treat it as a high\u2011risk issue."}}}}, "created": "2026-04-22T19:00:08.095909+00:00", "updated": "2026-04-22T19:00:08.095923+00:00", "vendors": [], "weaknesses": ["CWE-416"]}