HIGH Published 2026-04-22

can isotp TxBuffer UAF

CVE-2026-31474

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix tx.buf use-after-free in isotp_sendmsg() isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access to so->tx.buf. isotp_release() waits for ISOTP_IDLE via wait_event_interruptible() and then calls kfree(so->tx.buf). If a signal interrupts the wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the loop exits early and release proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) while sendmsg may still be reading so->tx.buf for the final CAN frame in isotp_fill_dataframe(). The so->tx.buf can be allocated once when the standard tx.buf length needs to be extended. Move the kfree() of this potentially extended tx.buf to sk_destruct time when either isotp_sendmsg() and isotp_release() are done.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

An attacker with local access can trigger a use-after-free condition in the CAN ISOTP socket implementation by interrupting socket close operations with signals. This could lead to kernel memory corruption, system crashes, or potential privilege escalation. The vulnerability affects systems using CAN bus communication with ISOTP sockets.

Affectednet/can/isotp.c

Vulnerability analysis

Summary: Use-after-free vulnerability in CAN ISOTP socket implementation due to race condition between sendmsg and release operations

Root Cause: Race condition between isotp_sendmsg() reading so->tx.buf and isotp_release() freeing it when wait_event_interruptible() is interrupted by a signal

Attack Surface: Local attack surface requiring ability to create CAN ISOTP sockets and send signals to interrupt socket operations

Fix Mechanism: Defers buffer deallocation from isotp_release() to isotp_sock_destruct() which runs after all socket operations complete, eliminating the race window

Details: The vulnerability occurs in the CAN ISOTP (ISO Transport Protocol) socket implementation when isotp_release() is interrupted by a signal during wait_event_interruptible(). The root cause is inadequate synchronization between isotp_sendmsg() and isotp_release() when accessing the shared so->tx.buf buffer. isotp_sendmsg() uses only cmpxchg() on so->tx.state for serialization, while isotp_release() waits for ISOTP_IDLE state before freeing so->tx.buf. If a signal interrupts the wait during socket close while tx.state is ISOTP_SENDING, the release function exits early, forces ISOTP_SHUTDOWN, and proceeds to kfree(so->tx.buf) while sendmsg may still be reading the buffer in isotp_fill_dataframe(). The fix moves the kfree() operations from isotp_release() to a new isotp_sock_destruct() function that executes during socket destruction, ensuring both sendmsg and release operations are complete before buffer deallocation.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.80	`9649d051e544`
6.18	6.18.21	`eec8a1b18a79`
6.19	6.19.11	`2e62e7051eca`
6.6	6.6.131	`cb3d6efa7846`
mainline	7.0	`424e95d62110`