CVE-2026-31532 Overview
CVE-2026-31532 is a use-after-free vulnerability [CWE-416] in the Linux kernel's Controller Area Network (CAN) raw socket implementation. The flaw resides in the raw_rcv() function, where the per-CPU ro->uniq storage can be accessed after being freed by raw_release(). The root cause is a synchronization gap between filter unregistration and Read-Copy-Update (RCU) callback execution. A local authenticated attacker can trigger memory corruption in kernel space, potentially leading to privilege escalation or denial of service.
Critical Impact
Local attackers with the ability to open CAN raw sockets can exploit the use-after-free in raw_rcv() to corrupt kernel memory, with potential for local privilege escalation on affected Linux systems.
Affected Products
- Linux Kernel (multiple stable branches receiving backported fixes)
- Distributions shipping vulnerable kernels with CONFIG_CAN_RAW enabled
- Embedded and automotive Linux systems using the CAN subsystem
Discovery Timeline
- 2026-04-23 - CVE-2026-31532 published to the National Vulnerability Database
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-31532
Vulnerability Analysis
The vulnerability exists in the Linux kernel CAN raw protocol implementation (net/can/raw.c). When a process closes a CAN raw socket, raw_release() calls can_rx_unregister() to remove receive filters. However, the actual receiver deletion is deferred via call_rcu() to maintain RCU read-side guarantees for concurrent receivers.
The issue arises because raw_release() immediately calls free_percpu(ro->uniq) to release the per-CPU uniq storage. Meanwhile, raw_rcv() may still be executing inside an RCU read-side critical section on another CPU, holding a stale reference to ro->uniq. This produces a classic use-after-free window where the receive path dereferences freed per-CPU memory.
Root Cause
The root cause is improper lifetime management of the per-CPU uniq allocation relative to RCU grace periods. The can_rx_unregister() function takes an extra socket reference that is only dropped from the RCU callback, but free_percpu(ro->uniq) was not subject to the same deferral. The fix moves the free_percpu(ro->uniq) call out of raw_release() and into a raw-specific socket destructor (sk_destruct). This ensures the per-CPU area persists until all RCU callbacks have drained and the final socket reference is released.
Attack Vector
Exploitation requires local access and the ability to create CAN raw sockets, which typically requires CAP_NET_RAW or an unprivileged user namespace where this capability is granted. An attacker triggers the race by rapidly opening and closing CAN raw sockets while concurrent packet delivery causes raw_rcv() to execute. Successful exploitation corrupts kernel per-CPU memory, which can be leveraged for kernel information disclosure, denial of service, or privilege escalation through heap grooming techniques.
No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-31532
Indicators of Compromise
- Kernel oops or panic messages referencing raw_rcv, raw_release, or free_percpu in dmesg output
- KASAN (Kernel Address Sanitizer) reports indicating use-after-free in the net/can/raw.c code path
- Unexpected process crashes or kernel instability on systems with CAN subsystem activity
- Anomalous socket creation patterns involving AF_CAN with SOCK_RAW
Detection Strategies
- Audit kernel version strings across the fleet to identify hosts running vulnerable builds before backported fixes
- Monitor auditd for socket() syscalls with AF_CAN (domain 29) from unexpected processes or user contexts
- Enable kernel lockdown and KASAN in test environments to surface latent use-after-free conditions during validation
- Correlate kernel ring buffer warnings with process activity to identify exploitation attempts
Monitoring Recommendations
- Forward /var/log/kern.log and journalctl -k output to a centralized logging platform for retroactive analysis
- Alert on processes invoking setsockopt against SOL_CAN_RAW from non-allowlisted binaries
- Track loaded kernel modules; flag dynamic loading of can, can_raw, or vcan on systems that do not require CAN functionality
- Baseline normal CAN socket activity on automotive or industrial hosts to detect deviations
How to Mitigate CVE-2026-31532
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the git.kernel.org stable tree commits and reboot affected systems
- Inventory hosts with the can_raw module loaded and prioritize patching on systems exposing CAN interfaces to unprivileged users
- Restrict CAP_NET_RAW and disable unprivileged user namespaces (kernel.unprivileged_userns_clone=0) where operationally feasible
- Blacklist the can_raw kernel module on systems that do not require CAN bus functionality
Patch Information
The fix has been merged across multiple stable kernel branches. Refer to the following commits for the authoritative patch content:
- Linux Kernel Commit 1a0f2de81f7f
- Linux Kernel Commit 34c1741254ff
- Linux Kernel Commit 572f0bf536eb
- Linux Kernel Commit 5e9cfffad898
- Linux Kernel Commit 7201a531b9a5
- Linux Kernel Commit a535a9217ca3
The patch relocates free_percpu(ro->uniq) from raw_release() into a dedicated socket destructor, ensuring per-CPU memory is freed only after RCU callbacks drain.
Workarounds
- Blacklist the can_raw module via /etc/modprobe.d/blacklist-can.conf on hosts without CAN requirements
- Remove CAP_NET_RAW from non-essential service accounts and containers
- Disable unprivileged user namespaces to reduce the attack surface for local privilege escalation primitives
- Apply SELinux or AppArmor policies restricting AF_CAN socket creation to authorized binaries
# Configuration example: blacklist CAN raw module and harden namespace policy
echo "blacklist can_raw" | sudo tee /etc/modprobe.d/blacklist-can-raw.conf
echo "blacklist can" | sudo tee -a /etc/modprobe.d/blacklist-can-raw.conf
sudo sysctl -w kernel.unprivileged_userns_clone=0
echo "kernel.unprivileged_userns_clone=0" | sudo tee -a /etc/sysctl.d/99-hardening.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.


