CVE-2026-31474

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: isotp: fix tx.buf use-after-free in isotp_sendmsg()<br /> <br /> isotp_sendmsg() uses only cmpxchg() on so-&gt;tx.state to serialize access<br /> to so-&gt;tx.buf. isotp_release() waits for ISOTP_IDLE via<br /> wait_event_interruptible() and then calls kfree(so-&gt;tx.buf).<br /> <br /> If a signal interrupts the wait_event_interruptible() inside close()<br /> while tx.state is ISOTP_SENDING, the loop exits early and release<br /> proceeds to force ISOTP_SHUTDOWN and continues to kfree(so-&gt;tx.buf)<br /> while sendmsg may still be reading so-&gt;tx.buf for the final CAN frame<br /> in isotp_fill_dataframe().<br /> <br /> The so-&gt;tx.buf can be allocated once when the standard tx.buf length needs<br /> to be extended. Move the kfree() of this potentially extended tx.buf to<br /> sk_destruct time when either isotp_sendmsg() and isotp_release() are done.