CVE-2026-31474

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A use-after-free issue exists in the isotp sendmsg() function. The function uses cmpxchg() on so->tx.state to serialize access to so->tx.buf. When isotp release() waits for ISOTP IDLE via wait event interruptible(), a signal can interrupt this process during a close() operation while tx.state is ISOTP SENDING. This causes the loop to exit prematurely, leading the release process to force ISOTP SHUTDOWN and call kfree(so->tx.buf) while isotp fill dataframe() may still be reading so->tx.buf for the final CAN frame.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.