CVE-2026-31532

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A race condition exists in the SocketCAN subsystem of the Linux kernel. The raw release() function unregisters raw CAN receive filters through can rx unregister(), but the deletion of the receiver is deferred using call rcu(). This creates a timing window where the raw rcv() function may still be executing within an RCU read-side critical section after raw release() has already freed ro->uniq, resulting in a use-after-free of the percpu uniq storage.

Recommendations Move the free percpu(ro->uniq) call from raw release() to a raw-specific socket destructor. This ensures that the percpu area is not released until the relevant callbacks have drained, as can rx unregister() maintains an extra reference to the socket that is only dropped from the RCU callback, allowing sk destruct to handle the freeing of uniq safely.