CVE-2026-31532

In the Linux kernel, the following vulnerability has been resolved:

can: raw: fix ro->uniq use-after-free in raw rcv()

raw release() unregisters raw CAN receive filters via can rx unregister(), but receiver deletion is deferred with call rcu(). This leaves a window where raw rcv() may still be running in an RCU read-side critical section after raw release() frees ro->uniq, leading to a use-after-free of the percpu uniq storage.

Move free percpu(ro->uniq) out of raw release() and into a raw-specific socket destructor. can rx unregister() takes an extra reference to the socket and only drops it from the RCU callback, so freeing uniq from sk destruct ensures the percpu area is not released until the relevant callbacks have drained.

[mkl: applied manually]