{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31474", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.098Z", "datePublished": "2026-04-22T13:54:03.100Z", "dateUpdated": "2026-05-11T22:09:26.119Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:09:26.119Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: fix tx.buf use-after-free in isotp_sendmsg()\n\nisotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access\nto so->tx.buf. isotp_release() waits for ISOTP_IDLE via\nwait_event_interruptible() and then calls kfree(so->tx.buf).\n\nIf a signal interrupts the wait_event_interruptible() inside close()\nwhile tx.state is ISOTP_SENDING, the loop exits early and release\nproceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf)\nwhile sendmsg may still be reading so->tx.buf for the final CAN frame\nin isotp_fill_dataframe().\n\nThe so->tx.buf can be allocated once when the standard tx.buf length needs\nto be extended. Move the kfree() of this potentially extended tx.buf to\nsk_destruct time when either isotp_sendmsg() and isotp_release() are done."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/can/isotp.c"], "versions": [{"version": "96d1c81e6a0478535342dff6c730adb076cd84e8", "lessThan": "cb3d6efa78460e6d50bf68806d0db66265709f64", "status": "affected", "versionType": "git"}, {"version": "96d1c81e6a0478535342dff6c730adb076cd84e8", "lessThan": "9649d051e54413049c009638ec1dc23962c884a4", "status": "affected", "versionType": "git"}, {"version": "96d1c81e6a0478535342dff6c730adb076cd84e8", "lessThan": "eec8a1b18a79600bd4419079dc0026c1db72a830", "status": "affected", "versionType": "git"}, {"version": "96d1c81e6a0478535342dff6c730adb076cd84e8", "lessThan": "2e62e7051eca75a7f2e3d52d62ec10d7d7aa358c", "status": "affected", "versionType": "git"}, {"version": "96d1c81e6a0478535342dff6c730adb076cd84e8", "lessThan": "424e95d62110cdbc8fd12b40918f37e408e35a92", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/can/isotp.c"], "versions": [{"version": "6.4", "status": "affected"}, {"version": "0", "lessThan": "6.4", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/cb3d6efa78460e6d50bf68806d0db66265709f64"}, {"url": "https://git.kernel.org/stable/c/9649d051e54413049c009638ec1dc23962c884a4"}, {"url": "https://git.kernel.org/stable/c/eec8a1b18a79600bd4419079dc0026c1db72a830"}, {"url": "https://git.kernel.org/stable/c/2e62e7051eca75a7f2e3d52d62ec10d7d7aa358c"}, {"url": "https://git.kernel.org/stable/c/424e95d62110cdbc8fd12b40918f37e408e35a92"}], "title": "can: isotp: fix tx.buf use-after-free in isotp_sendmsg()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "523F816F-7981-495C-95C0-E3588239D4B9", "versionEndExcluding": "6.6.131", "versionStartIncluding": "6.4.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.4:-:*:*:*:*:*:*", "matchCriteriaId": "DE0B0BF6-0EEF-4FAD-927D-7A0DD77BEE75", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: fix tx.buf use-after-free in isotp_sendmsg()\n\nisotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access\nto so->tx.buf. isotp_release() waits for ISOTP_IDLE via\nwait_event_interruptible() and then calls kfree(so->tx.buf).\n\nIf a signal interrupts the wait_event_interruptible() inside close()\nwhile tx.state is ISOTP_SENDING, the loop exits early and release\nproceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf)\nwhile sendmsg may still be reading so->tx.buf for the final CAN frame\nin isotp_fill_dataframe().\n\nThe so->tx.buf can be allocated once when the standard tx.buf length needs\nto be extended. Move the kfree() of this potentially extended tx.buf to\nsk_destruct time when either isotp_sendmsg() and isotp_release() are done."}], "id": "CVE-2026-31474", "lastModified": "2026-04-27T23:27:13.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-22T14:16:44.053", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2e62e7051eca75a7f2e3d52d62ec10d7d7aa358c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/424e95d62110cdbc8fd12b40918f37e408e35a92"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9649d051e54413049c009638ec1dc23962c884a4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cb3d6efa78460e6d50bf68806d0db66265709f64"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/eec8a1b18a79600bd4419079dc0026c1db72a830"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: can: isotp: fix tx.buf use-after-free in isotp_sendmsg()", "id": "2460646", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460646"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-364", "details": ["A flaw was found in the Linux kernel's Controller Area Network (CAN) ISO-TP (isotp) module. This vulnerability, known as a use-after-free, occurs when the system attempts to free a memory region while it is still being used. A local attacker could trigger this condition by sending a signal that interrupts a specific waiting process during a close operation. This can lead to memory corruption, potentially causing the system to crash (denial of service) or behave unpredictably."], "name": "CVE-2026-31474", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31474\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31474\nhttps://lore.kernel.org/linux-cve-announce/2026042256-CVE-2026-31474-8673@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96d1c81e6a0478535342dff6c730adb076cd84e8,cb3d6efa78460e6d50bf68806d0db66265709f64)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96d1c81e6a0478535342dff6c730adb076cd84e8,9649d051e54413049c009638ec1dc23962c884a4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96d1c81e6a0478535342dff6c730adb076cd84e8,eec8a1b18a79600bd4419079dc0026c1db72a830)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96d1c81e6a0478535342dff6c730adb076cd84e8,2e62e7051eca75a7f2e3d52d62ec10d7d7aa358c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[96d1c81e6a0478535342dff6c730adb076cd84e8,424e95d62110cdbc8fd12b40918f37e408e35a92)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T15:40:00.957423+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the patch for the ISO\u2011TP sendmsg use\u2011after\u2011free bug", "Reboot the system after upgrading to ensure the new kernel is running", "If an immediate upgrade is not possible, consider disabling the ISO\u2011TP functionality in the CAN network stack or isolating CAN devices until a patched kernel is available"], "summary": {"action": "Patch Now", "impact": "Use\u2011After\u2011Free in Linux CAN ISO\u2011TP driver"}, "threat_synthesis": {"affected_systems": "All Linux kernel installations that include the problematic CAN ISO\u2011TP driver are potentially vulnerable; the CVE does not specify particular kernel releases, and the list of affected versions is not provided in the vendor data.", "description_and_impact": "The CVE involves a use\u2011after\u2011free flaw in the Linux kernel's CAN ISO\u2011TP driver (CWE\u2011416) coupled with a race condition (CWE\u2011364). When a close operation is interrupted by a signal while a transmission is in progress, the driver may free the transmission buffer before the sending routine has finished using it. This can lead to kernel memory corruption, a crash, or denial of service.", "risk_and_exploitability": "The CVSS base score is 7.8, indicating high severity. The EPSS score is <1%, showing a low likelihood of exploitation. Attackers would need to trigger a close operation with an interrupting signal while a transmission is underway, a scenario that is difficult to accomplish from a remote context but possible from a local or privileged environment. Since no public exploits exist, the risk is primarily the potential for a kernel crash or memory corruption that could be exploited to gain higher privileges or disrupt system availability. The flaw is not listed in CISA\u2019s KEV catalog, and the attack vector is confined to local or remote code execution that affects the CAN network stack."}}}}, "created": "2026-04-22T19:00:08.095909+00:00", "updated": "2026-04-28T15:45:06.380300+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}