CVE-2026-31474 Overview
A use-after-free vulnerability has been identified in the Linux kernel's CAN ISO-TP (ISO 15765-2) networking subsystem. The flaw exists in the isotp_sendmsg() function where improper synchronization between socket close operations and message transmission can lead to accessing freed memory. This vulnerability affects the CAN networking stack used in automotive and industrial applications.
Critical Impact
This use-after-free vulnerability in the kernel's CAN ISO-TP implementation could potentially allow local attackers to cause system instability, denial of service, or potentially achieve privilege escalation through memory corruption.
Affected Products
- Linux kernel with CAN ISO-TP subsystem enabled
- Systems using CONFIG_CAN_ISOTP kernel configuration
- Automotive and industrial systems utilizing CAN bus networking
Discovery Timeline
- 2026-04-22 - CVE-2026-31474 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-31474
Vulnerability Analysis
This use-after-free vulnerability occurs in the ISO-TP transport protocol implementation within the Linux kernel's CAN networking subsystem. The issue stems from a race condition between the isotp_sendmsg() function that transmits CAN frames and the isotp_release() function that handles socket cleanup during close operations.
The isotp_sendmsg() function relies solely on cmpxchg() operations on so->tx.state to serialize access to the transmission buffer (so->tx.buf). When a socket is closed via isotp_release(), the function waits for the transmission state to become ISOTP_IDLE through wait_event_interruptible(). However, if a signal interrupts this wait while the transmission state is ISOTP_SENDING, the wait loop exits prematurely.
Upon early exit, the release function forces the state to ISOTP_SHUTDOWN and proceeds to free so->tx.buf via kfree(). At this point, isotp_sendmsg() may still be reading from so->tx.buf to construct the final CAN frame in isotp_fill_dataframe(), resulting in a use-after-free condition.
Root Cause
The root cause is insufficient synchronization between socket teardown and ongoing message transmission. The so->tx.buf buffer, which can be dynamically extended during transmission of larger payloads, is freed in isotp_release() while potentially still being accessed by isotp_sendmsg(). The use of cmpxchg() alone on the state variable does not provide adequate protection against this race condition when signals interrupt the wait operation.
Attack Vector
An attacker with local access could exploit this vulnerability by initiating a CAN ISO-TP transmission and then triggering a signal-interrupted close operation on the socket. The timing window exists when:
- A process calls sendmsg() on an ISO-TP socket initiating transmission
- Another thread or signal handler calls close() on the same socket
- A signal interrupts the wait_event_interruptible() in isotp_release()
- The release function proceeds to free tx.buf while sendmsg is still accessing it
The fix moves the kfree() of the potentially extended tx.buf to sk_destruct time, ensuring both isotp_sendmsg() and isotp_release() have completed before the buffer is freed.
Detection Methods for CVE-2026-31474
Indicators of Compromise
- Kernel oops or panics with backtraces involving isotp_sendmsg() or isotp_fill_dataframe() functions
- Unexpected system crashes when CAN ISO-TP sockets are being closed during active transmission
- Memory corruption errors or KASAN (Kernel Address Sanitizer) reports in the CAN ISO-TP subsystem
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) to detect use-after-free memory access violations in the kernel
- Monitor kernel logs for warnings or errors related to the ISO-TP module (can_isotp)
- Implement system monitoring for abnormal CAN socket behavior or unexpected socket closure patterns
- Use ftrace or eBPF to trace isotp_sendmsg and isotp_release function calls for anomalous patterns
Monitoring Recommendations
- Configure kernel crash dump collection (kdump) to capture detailed information on any kernel panics
- Enable audit logging for CAN socket operations on systems where CAN bus networking is critical
- Monitor system stability metrics on automotive or industrial systems using CAN communication
How to Mitigate CVE-2026-31474
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix for this vulnerability
- Review systems using CAN ISO-TP functionality and prioritize patching based on exposure
- Consider temporarily disabling the ISO-TP module (modprobe -r can_isotp) if not required for operations
- Limit local user access to systems with CAN networking capabilities until patches are applied
Patch Information
The Linux kernel developers have released patches to address this vulnerability. The fix relocates the kfree() operation for the extended tx.buf to socket destruction time (sk_destruct), ensuring both isotp_sendmsg() and isotp_release() complete before memory is freed.
Patch commits are available through the following kernel git references:
- Kernel Commit 2e62e7051eca
- Kernel Commit 424e95d62110
- Kernel Commit 9649d051e544
- Kernel Commit cb3d6efa7846
- Kernel Commit eec8a1b18a79
Workarounds
- Disable the CAN ISO-TP kernel module if not required: modprobe -r can_isotp
- Add blacklist can_isotp to /etc/modprobe.d/blacklist.conf to prevent automatic module loading
- Restrict access to CAN network interfaces using appropriate permissions and namespacing
- Implement process isolation for applications that require CAN communication
# Configuration example
# Disable CAN ISO-TP module temporarily
modprobe -r can_isotp
# Blacklist the module to prevent loading on boot
echo "blacklist can_isotp" >> /etc/modprobe.d/blacklist-isotp.conf
# Verify module is not loaded
lsmod | grep isotp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
