Security researchers have identified a use-after-free vulnerability in the Linux kernel's CAN subsystem, specifically within the raw socket receive path. Tracked as CVE-2026-31532, the flaw resides in the raw_rcv() function and can be triggered when a raw CAN socket is closed while concurrent receive operations are in flight. The fix, introduced in kernel commit series addressing the issue, ensures proper synchronization during socket teardown.

The Vulnerability: A Race Condition in raw_rcv

The bug lies in the interaction between raw_release() and raw_rcv(). When a raw CAN socket is released, raw_release() unregisters the socket from the CAN filter list using raw_unregister(). However, this unregistration does not guarantee that a concurrent raw_rcv() callback—which may already be executing on another CPU—has completed. If raw_rcv() accesses the socket's data structures after raw_release() has freed them, a use-after-free condition occurs.

This race window is narrow but exploitable. An attacker capable of sending CAN frames at high frequency while repeatedly opening and closing raw sockets could trigger the bug, potentially leading to memory corruption or privilege escalation. The CAN subsystem is commonly used in automotive, industrial control, and embedded systems, making this vulnerability particularly concerning for real-time and safety-critical environments.

The Fix: RCU-Based Synchronization

The patch addresses the issue by introducing Read-Copy-Update (RCU) synchronization in the raw socket receive path. Specifically, the fix ensures that raw_rcv() uses rcu_read_lock() to hold an RCU read-side critical section while accessing the socket. On the teardown side, raw_release() now calls synchronize_rcu() after unregistering the socket, guaranteeing that all pre-existing raw_rcv() callbacks have completed before any memory is freed.

This approach is a textbook application of RCU for protecting data structures that are read frequently but updated rarely. By deferring the actual memory reclamation until all readers have finished, the fix eliminates the race without imposing significant performance overhead on the fast path.

Technical Details of the Patch

The change touches the net/can/raw.c file in the kernel source. Key modifications include:

  • In raw_release(): After calling raw_unregister(), a synchronize_rcu() call is added to wait for any ongoing RCU read-side critical sections.
  • In raw_rcv(): The function now begins with rcu_read_lock() and ends with rcu_read_unlock(), ensuring that the socket reference remains valid throughout.
  • Additional rcu_dereference() calls are used to safely access socket pointers that may be modified concurrently.

The patch is minimal and focused, reducing the risk of introducing new regressions. It has been backported to stable kernel trees, including versions 5.10, 5.15, 6.1, and 6.6, which are commonly used in long-term support distributions.

Impact and Mitigation

Systems using raw CAN sockets are vulnerable if they run an affected kernel version. The vulnerability is rated as High severity with a CVSS score of 7.8, given the potential for local privilege escalation. However, exploitation requires local access and the ability to send CAN frames, which may limit the attack surface in some deployments.

Administrators should apply the kernel patch as soon as possible. For systems that cannot be immediately updated, a workaround is to restrict access to raw CAN sockets via appropriate permissions or disable the CAN subsystem if not required. Monitoring for unusual CAN traffic patterns may also help detect exploitation attempts.

Conclusion

CVE-2026-31532 serves as a reminder of the subtle concurrency bugs that can lurk in networking subsystems. The fix demonstrates the effectiveness of RCU for protecting read-mostly data paths. Users of Linux in automotive or industrial contexts should prioritize this update to maintain system integrity.