CVE-2026-31474
Description
In the Linux kernel, the following vulnerability has been resolved:
can: isotp: fix tx.buf use-after-free in isotp_sendmsg()
isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access to so->tx.buf. isotp_release() waits for ISOTP_IDLE via wait_event_interruptible() and then calls kfree(so->tx.buf).
If a signal interrupts the wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the loop exits early and release proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) while sendmsg may still be reading so->tx.buf for the final CAN frame in isotp_fill_dataframe().
The so->tx.buf can be allocated once when the standard tx.buf length needs to be extended. Move the kfree() of this potentially extended tx.buf to sk_destruct time when either isotp_sendmsg() and isotp_release() are done.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
84cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.4.1,<6.6.131
- cpe:2.3:o:linux:linux_kernel:6.4:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
- osv-coords75 versionspkg:rpm/almalinux/kernelpkg:rpm/almalinux/kernel-64kpkg:rpm/almalinux/kernel-64k-corepkg:rpm/almalinux/kernel-64k-debugpkg:rpm/almalinux/kernel-64k-debug-corepkg:rpm/almalinux/kernel-64k-debug-develpkg:rpm/almalinux/kernel-64k-debug-devel-matchedpkg:rpm/almalinux/kernel-64k-debug-modulespkg:rpm/almalinux/kernel-64k-debug-modules-corepkg:rpm/almalinux/kernel-64k-debug-modules-extrapkg:rpm/almalinux/kernel-64k-develpkg:rpm/almalinux/kernel-64k-devel-matchedpkg:rpm/almalinux/kernel-64k-modulespkg:rpm/almalinux/kernel-64k-modules-corepkg:rpm/almalinux/kernel-64k-modules-extrapkg:rpm/almalinux/kernel-abi-stablelistspkg:rpm/almalinux/kernel-corepkg:rpm/almalinux/kernel-cross-headerspkg:rpm/almalinux/kernel-debugpkg:rpm/almalinux/kernel-debug-corepkg:rpm/almalinux/kernel-debug-develpkg:rpm/almalinux/kernel-debug-devel-matchedpkg:rpm/almalinux/kernel-debug-modulespkg:rpm/almalinux/kernel-debug-modules-corepkg:rpm/almalinux/kernel-debug-modules-extrapkg:rpm/almalinux/kernel-debug-uki-virtpkg:rpm/almalinux/kernel-develpkg:rpm/almalinux/kernel-devel-matchedpkg:rpm/almalinux/kernel-docpkg:rpm/almalinux/kernel-headerspkg:rpm/almalinux/kernel-modulespkg:rpm/almalinux/kernel-modules-corepkg:rpm/almalinux/kernel-modules-extrapkg:rpm/almalinux/kernel-modules-extra-matchedpkg:rpm/almalinux/kernel-rtpkg:rpm/almalinux/kernel-rt-64kpkg:rpm/almalinux/kernel-rt-64k-corepkg:rpm/almalinux/kernel-rt-64k-debugpkg:rpm/almalinux/kernel-rt-64k-debug-corepkg:rpm/almalinux/kernel-rt-64k-debug-develpkg:rpm/almalinux/kernel-rt-64k-debug-modulespkg:rpm/almalinux/kernel-rt-64k-debug-modules-corepkg:rpm/almalinux/kernel-rt-64k-debug-modules-extrapkg:rpm/almalinux/kernel-rt-64k-develpkg:rpm/almalinux/kernel-rt-64k-modulespkg:rpm/almalinux/kernel-rt-64k-modules-corepkg:rpm/almalinux/kernel-rt-64k-modules-extrapkg:rpm/almalinux/kernel-rt-corepkg:rpm/almalinux/kernel-rt-debugpkg:rpm/almalinux/kernel-rt-debug-corepkg:rpm/almalinux/kernel-rt-debug-develpkg:rpm/almalinux/kernel-rt-debug-modulespkg:rpm/almalinux/kernel-rt-debug-modules-corepkg:rpm/almalinux/kernel-rt-debug-modules-extrapkg:rpm/almalinux/kernel-rt-develpkg:rpm/almalinux/kernel-rt-modulespkg:rpm/almalinux/kernel-rt-modules-corepkg:rpm/almalinux/kernel-rt-modules-extrapkg:rpm/almalinux/kernel-toolspkg:rpm/almalinux/kernel-tools-libspkg:rpm/almalinux/kernel-tools-libs-develpkg:rpm/almalinux/kernel-uki-virtpkg:rpm/almalinux/kernel-uki-virt-addonspkg:rpm/almalinux/kernel-zfcpdumppkg:rpm/almalinux/kernel-zfcpdump-corepkg:rpm/almalinux/kernel-zfcpdump-develpkg:rpm/almalinux/kernel-zfcpdump-devel-matchedpkg:rpm/almalinux/kernel-zfcpdump-modulespkg:rpm/almalinux/kernel-zfcpdump-modules-corepkg:rpm/almalinux/kernel-zfcpdump-modules-extrapkg:rpm/almalinux/libperfpkg:rpm/almalinux/perfpkg:rpm/almalinux/python3-perfpkg:rpm/almalinux/rtlapkg:rpm/almalinux/rv
< 6.12.0-211.26.1.el10_2+ 74 more
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
- (no CPE)range: < 6.12.0-211.26.1.el10_2
Patches
Vulnerability mechanics
References
5- git.kernel.org/stable/c/2e62e7051eca75a7f2e3d52d62ec10d7d7aa358cnvdPatch
- git.kernel.org/stable/c/424e95d62110cdbc8fd12b40918f37e408e35a92nvdPatch
- git.kernel.org/stable/c/9649d051e54413049c009638ec1dc23962c884a4nvdPatch
- git.kernel.org/stable/c/cb3d6efa78460e6d50bf68806d0db66265709f64nvdPatch
- git.kernel.org/stable/c/eec8a1b18a79600bd4419079dc0026c1db72a830nvdPatch
News mentions
0No linked articles in our index yet.