VYPR
patchPublished Jul 15, 2026· 1 source

Linux Kernel Race Condition in CAN ISO-TP Protocol Enables Local Privilege Escalation

A race condition vulnerability in the Linux Kernel's CAN ISO-TP protocol allows local attackers with prior low-privileged code execution to escalate privileges to the kernel level.

A newly disclosed vulnerability within the Linux Kernel's Controller Area Network (CAN) ISO-TP protocol presents a significant local privilege escalation risk. Identified as ZDI-26-442 by the Zero Day Initiative, this flaw allows an attacker who has already gained low-privileged access to a system to elevate their privileges to the kernel level.

The vulnerability stems from a race condition that occurs during the handling of socket close operations. Specifically, the issue arises from the lack of proper locking mechanisms when performing operations on a particular object within the protocol's implementation. This oversight can be exploited by an attacker to manipulate the system's state, ultimately leading to the execution of arbitrary code with kernel privileges.

Exploitation of ZDI-26-442 requires an attacker to first achieve a foothold on the target system with a low level of privilege. Once this initial access is secured, the attacker can then trigger the race condition to escalate their privileges. The Zero Day Initiative has assigned a CVSS score of 7.8 to this vulnerability, indicating a high severity level.

Linux has already issued an update to address this vulnerability. Security researchers and system administrators are strongly advised to apply the available patches as soon as possible to mitigate the risk of exploitation. Further technical details and the specific patch can be found via a link to the Linux kernel mailing list discussion: https://lore.kernel.org/linux-can/20260707083228.47629-1-socketcan@hartkopp.net/

The vulnerability was reported to the vendor on July 3, 2026, and the coordinated public release of the advisory occurred on July 15, 2026. The advisory was updated on the same day, indicating the prompt response from the Linux kernel development community.

This disclosure highlights the ongoing challenges in securing complex operating system kernels. Even well-established components like the Linux kernel can harbor subtle race conditions that, when combined with initial low-privilege access, can lead to severe security compromises. The CAN ISO-TP protocol, often used in automotive and industrial embedded systems, is a critical component where such vulnerabilities can have significant implications.

The discovery and responsible disclosure of this vulnerability are credited to researcher Nico Yip, who operates under the handle @_cyeaa_ on social media. His work contributes to the broader effort of identifying and remediating security flaws in widely used software.

System administrators should prioritize patching their Linux systems to protect against this privilege escalation vector. While exploitation requires prior access, the severity of gaining kernel-level control makes this a critical update for any environment utilizing the CAN ISO-TP protocol.

Synthesized by Vypr AI