CVE-2026-31532: Linux Kernel Use-After-Free Vulnerability

CVE-2026-31532 Overview

CVE-2026-31532 is a use-after-free vulnerability [CWE-416] in the Linux kernel's Controller Area Network (CAN) raw socket implementation. The flaw resides in the raw_rcv() function, where the per-CPU ro->uniq storage can be accessed after being freed by raw_release(). The root cause is a synchronization gap between filter unregistration and Read-Copy-Update (RCU) callback execution. A local authenticated attacker can trigger memory corruption in kernel space, potentially leading to privilege escalation or denial of service.

Critical Impact
Local attackers with the ability to open CAN raw sockets can exploit the use-after-free in raw_rcv() to corrupt kernel memory, with potential for local privilege escalation on affected Linux systems.

Affected Products

Linux Kernel (multiple stable branches receiving backported fixes)
Distributions shipping vulnerable kernels with CONFIG_CAN_RAW enabled
Embedded and automotive Linux systems using the CAN subsystem

Discovery Timeline

2026-04-23 - CVE-2026-31532 published to the National Vulnerability Database
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-31532

Vulnerability Analysis

The vulnerability exists in the Linux kernel CAN raw protocol implementation (net/can/raw.c). When a process closes a CAN raw socket, raw_release() calls can_rx_unregister() to remove receive filters. However, the actual receiver deletion is deferred via call_rcu() to maintain RCU read-side guarantees for concurrent receivers.

The issue arises because raw_release() immediately calls free_percpu(ro->uniq) to release the per-CPU uniq storage. Meanwhile, raw_rcv() may still be executing inside an RCU read-side critical section on another CPU, holding a stale reference to ro->uniq. This produces a classic use-after-free window where the receive path dereferences freed per-CPU memory.

Root Cause

The root cause is improper lifetime management of the per-CPU uniq allocation relative to RCU grace periods. The can_rx_unregister() function takes an extra socket reference that is only dropped from the RCU callback, but free_percpu(ro->uniq) was not subject to the same deferral. The fix moves the free_percpu(ro->uniq) call out of raw_release() and into a raw-specific socket destructor (sk_destruct). This ensures the per-CPU area persists until all RCU callbacks have drained and the final socket reference is released.

Attack Vector

Exploitation requires local access and the ability to create CAN raw sockets, which typically requires CAP_NET_RAW or an unprivileged user namespace where this capability is granted. An attacker triggers the race by rapidly opening and closing CAN raw sockets while concurrent packet delivery causes raw_rcv() to execute. Successful exploitation corrupts kernel per-CPU memory, which can be leveraged for kernel information disclosure, denial of service, or privilege escalation through heap grooming techniques.

No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2026-31532

Indicators of Compromise

Kernel oops or panic messages referencing raw_rcv, raw_release, or free_percpu in dmesg output
KASAN (Kernel Address Sanitizer) reports indicating use-after-free in the net/can/raw.c code path
Unexpected process crashes or kernel instability on systems with CAN subsystem activity
Anomalous socket creation patterns involving AF_CAN with SOCK_RAW

Detection Strategies

Audit kernel version strings across the fleet to identify hosts running vulnerable builds before backported fixes
Monitor auditd for socket() syscalls with AF_CAN (domain 29) from unexpected processes or user contexts
Enable kernel lockdown and KASAN in test environments to surface latent use-after-free conditions during validation
Correlate kernel ring buffer warnings with process activity to identify exploitation attempts

Monitoring Recommendations

Forward /var/log/kern.log and journalctl -k output to a centralized logging platform for retroactive analysis
Alert on processes invoking setsockopt against SOL_CAN_RAW from non-allowlisted binaries
Track loaded kernel modules; flag dynamic loading of can, can_raw, or vcan on systems that do not require CAN functionality
Baseline normal CAN socket activity on automotive or industrial hosts to detect deviations

How to Mitigate CVE-2026-31532

Immediate Actions Required

Apply the upstream Linux kernel patches referenced in the git.kernel.org stable tree commits and reboot affected systems
Inventory hosts with the can_raw module loaded and prioritize patching on systems exposing CAN interfaces to unprivileged users
Restrict CAP_NET_RAW and disable unprivileged user namespaces (kernel.unprivileged_userns_clone=0) where operationally feasible
Blacklist the can_raw kernel module on systems that do not require CAN bus functionality

Patch Information

The fix has been merged across multiple stable kernel branches. Refer to the following commits for the authoritative patch content:

The patch relocates free_percpu(ro->uniq) from raw_release() into a dedicated socket destructor, ensuring per-CPU memory is freed only after RCU callbacks drain.

Workarounds

Blacklist the can_raw module via /etc/modprobe.d/blacklist-can.conf on hosts without CAN requirements
Remove CAP_NET_RAW from non-essential service accounts and containers
Disable unprivileged user namespaces to reduce the attack surface for local privilege escalation primitives
Apply SELinux or AppArmor policies restricting AF_CAN socket creation to authorized binaries

bash

# Configuration example: blacklist CAN raw module and harden namespace policy
echo "blacklist can_raw" | sudo tee /etc/modprobe.d/blacklist-can-raw.conf
echo "blacklist can"     | sudo tee -a /etc/modprobe.d/blacklist-can-raw.conf
sudo sysctl -w kernel.unprivileged_userns_clone=0
echo "kernel.unprivileged_userns_clone=0" | sudo tee -a /etc/sysctl.d/99-hardening.conf
sudo update-initramfs -u

CVE-2026-31532 Overview

Critical Impact
Local attackers with the ability to open CAN raw sockets can exploit the use-after-free in raw_rcv() to corrupt kernel memory, with potential for local privilege escalation on affected Linux systems.

Affected Products

Linux Kernel (multiple stable branches receiving backported fixes)
Distributions shipping vulnerable kernels with CONFIG_CAN_RAW enabled
Embedded and automotive Linux systems using the CAN subsystem

Discovery Timeline

2026-04-23 - CVE-2026-31532 published to the National Vulnerability Database
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-31532

Vulnerability Analysis

Root Cause

Attack Vector

No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2026-31532

Indicators of Compromise

Kernel oops or panic messages referencing raw_rcv, raw_release, or free_percpu in dmesg output
KASAN (Kernel Address Sanitizer) reports indicating use-after-free in the net/can/raw.c code path
Unexpected process crashes or kernel instability on systems with CAN subsystem activity
Anomalous socket creation patterns involving AF_CAN with SOCK_RAW

Detection Strategies

Audit kernel version strings across the fleet to identify hosts running vulnerable builds before backported fixes
Monitor auditd for socket() syscalls with AF_CAN (domain 29) from unexpected processes or user contexts
Enable kernel lockdown and KASAN in test environments to surface latent use-after-free conditions during validation
Correlate kernel ring buffer warnings with process activity to identify exploitation attempts

Monitoring Recommendations

Forward /var/log/kern.log and journalctl -k output to a centralized logging platform for retroactive analysis
Alert on processes invoking setsockopt against SOL_CAN_RAW from non-allowlisted binaries
Track loaded kernel modules; flag dynamic loading of can, can_raw, or vcan on systems that do not require CAN functionality
Baseline normal CAN socket activity on automotive or industrial hosts to detect deviations

How to Mitigate CVE-2026-31532

Immediate Actions Required

Apply the upstream Linux kernel patches referenced in the git.kernel.org stable tree commits and reboot affected systems
Inventory hosts with the can_raw module loaded and prioritize patching on systems exposing CAN interfaces to unprivileged users
Restrict CAP_NET_RAW and disable unprivileged user namespaces (kernel.unprivileged_userns_clone=0) where operationally feasible
Blacklist the can_raw kernel module on systems that do not require CAN bus functionality

Patch Information

The fix has been merged across multiple stable kernel branches. Refer to the following commits for the authoritative patch content:

The patch relocates free_percpu(ro->uniq) from raw_release() into a dedicated socket destructor, ensuring per-CPU memory is freed only after RCU callbacks drain.

Workarounds

Blacklist the can_raw module via /etc/modprobe.d/blacklist-can.conf on hosts without CAN requirements
Remove CAP_NET_RAW from non-essential service accounts and containers
Disable unprivileged user namespaces to reduce the attack surface for local privilege escalation primitives
Apply SELinux or AppArmor policies restricting AF_CAN socket creation to authorized binaries

bash

# Configuration example: blacklist CAN raw module and harden namespace policy
echo "blacklist can_raw" | sudo tee /etc/modprobe.d/blacklist-can-raw.conf
echo "blacklist can"     | sudo tee -a /etc/modprobe.d/blacklist-can-raw.conf
sudo sysctl -w kernel.unprivileged_userns_clone=0
echo "kernel.unprivileged_userns_clone=0" | sudo tee -a /etc/sysctl.d/99-hardening.conf
sudo update-initramfs -u

CVE-2026-31532: Linux Kernel Use-After-Free Vulnerability

CVE-2026-31532 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-31532

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-31532

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-31532

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2026-31532: Linux Kernel Use-After-Free Vulnerability

CVE-2026-31532 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-31532

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-31532

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-31532

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform