CVE-2026-31532 Overview
A use-after-free vulnerability has been identified in the Linux kernel's CAN (Controller Area Network) raw socket implementation. The vulnerability exists in the raw_rcv() function where a race condition between raw_release() and the RCU (Read-Copy-Update) callback mechanism can lead to the use of freed percpu memory storage.
The issue occurs because raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This creates a timing window where raw_rcv() may still be executing in an RCU read-side critical section after raw_release() has already freed ro->uniq, resulting in a use-after-free condition affecting the percpu uniq storage.
Critical Impact
Exploitation of this use-after-free vulnerability could allow a local attacker to cause kernel memory corruption, potentially leading to privilege escalation, denial of service, or arbitrary code execution in kernel context.
Affected Products
- Linux Kernel (CAN raw socket subsystem)
- Systems utilizing CAN bus interfaces with raw socket support
- Embedded and automotive systems with CAN networking capabilities
Discovery Timeline
- 2026-04-23 - CVE CVE-2026-31532 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-31532
Vulnerability Analysis
The vulnerability is a classic use-after-free condition resulting from improper synchronization between socket release operations and RCU-protected callback execution. In the Linux kernel's CAN raw socket implementation, when a socket is closed, raw_release() initiates the cleanup process by calling can_rx_unregister() to remove the receive filters. However, the actual deletion of the receiver is deferred using call_rcu() to ensure safe execution in a read-side critical section.
The critical flaw lies in the timing of free_percpu(ro->uniq) being called directly within raw_release(). Since RCU callbacks may still be processing and raw_rcv() could be actively running in an RCU read-side critical section, the percpu uniq storage may be accessed after it has been freed, leading to a use-after-free condition.
Root Cause
The root cause is a synchronization error in the socket cleanup path where free_percpu(ro->uniq) is called prematurely in raw_release() before all RCU callbacks have completed execution. The RCU mechanism is designed to defer destruction until all readers have finished, but the manual free_percpu() call bypasses this protection, creating a race condition between the cleanup path and active receivers.
Attack Vector
The attack vector is local, requiring an attacker to have the ability to create and manipulate CAN raw sockets on the target system. An attacker could exploit this vulnerability by:
- Opening a CAN raw socket and registering receive filters
- Triggering rapid socket close operations while simultaneously generating CAN traffic
- Racing the raw_release() cleanup against active raw_rcv() callback execution
- Exploiting the freed percpu memory access to corrupt kernel memory structures
The vulnerability requires local access and the ability to interact with CAN interfaces, which may be present on automotive systems, industrial control systems, or any Linux-based device with CAN bus connectivity.
Detection Methods for CVE-2026-31532
Indicators of Compromise
- Kernel oops or panic messages referencing raw_rcv() or CAN raw socket functions
- KASAN (Kernel Address Sanitizer) reports indicating use-after-free in CAN subsystem
- Unexpected system crashes when closing CAN raw sockets under high traffic conditions
- Memory corruption symptoms in systems actively using CAN bus interfaces
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) to detect use-after-free conditions at runtime
- Monitor kernel logs for warning messages related to CAN socket operations or percpu memory access
- Deploy SentinelOne Singularity platform for real-time kernel exploit detection and prevention
- Implement system call auditing for socket() and close() operations involving CAN protocol family
Monitoring Recommendations
- Configure kernel debug options to log CAN subsystem activity and socket lifecycle events
- Monitor for unusual patterns of CAN socket creation and destruction
- Enable lockdep and RCU debugging features in development/test environments
- Use SentinelOne's behavioral AI engine to detect anomalous kernel memory access patterns
How to Mitigate CVE-2026-31532
Immediate Actions Required
- Apply the kernel patches from the official Linux kernel git repository immediately
- Restrict access to CAN interfaces to trusted users and processes only
- Disable CAN raw socket support if not required for system operation
- Monitor systems for signs of exploitation attempts until patches are applied
Patch Information
The Linux kernel maintainers have released fixes that move free_percpu(ro->uniq) out of raw_release() and into a raw-specific socket destructor. The fix ensures that can_rx_unregister() takes an extra reference to the socket and only drops it from the RCU callback, guaranteeing the percpu area is not released until all relevant callbacks have drained.
Patches are available from the following kernel git commits:
- Kernel Git Commit 1a0f2de
- Kernel Git Commit 34c1741
- Kernel Git Commit 572f0bf
- Kernel Git Commit 7201a53
Workarounds
- Unload the can_raw kernel module if CAN functionality is not required: modprobe -r can_raw
- Restrict access to CAN interfaces using device permissions or network namespaces
- Implement application-level rate limiting for CAN socket operations to reduce exploitation likelihood
- Use containerization or virtualization to isolate systems requiring CAN access from critical infrastructure
# Disable CAN raw socket module loading
echo "install can_raw /bin/false" >> /etc/modprobe.d/disable-can-raw.conf
# Restrict CAN device permissions
chmod 600 /sys/class/net/can*/device/*
# Blacklist can_raw module (requires reboot)
echo "blacklist can_raw" >> /etc/modprobe.d/blacklist-can.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
