CVE-2026-22997
Description
In the Linux kernel, the following vulnerability has been resolved:
net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts
Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we cancelled the timer. Otherwise, refcount for j1939_session leaks, which will later appear as
| unregister_netdevice: waiting for vcan0 to become free. Usage count = 2.
problem.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A refcount leak in the Linux kernel's J1939 protocol, when two RTS frames are received, can cause network device unregister hangs.
Vulnerability
Description
In the Linux kernel's J1939 protocol implementation, a refcount leak occurs in j1939_xtp_rx_rts_session_active() when a second RTS (Request to Send) frame is received. The leak happens because j1939_session_deactivate_activate_next() is only called when the timer is enabled, but if the timer is cancelled, the session is not properly deactivated, leading to an elevated reference count.
Attack
Surface
This vulnerability can be exploited by an attacker with local access and the ability to send raw CAN frames over a J1939 interface. No authentication is required, only the ability to communicate via the CAN bus. The attacker sends a first RTS frame to create a session, then sends a second RTS frame to trigger the leak without proper session deactivation.
Impact
The refcount leak prevents the session object from being freed, eventually causing the kernel to hang when unregistering the network device. This results in a denial-of-service (DoS) condition, as the system waits indefinitely for the device usage count to drop to zero, as indicated by the kernel message 'unregister_netdevice: waiting for vcan0 to become free. Usage count = 2.' [1][2][3]
Mitigation
The fix involves calling j1939_session_deactivate_activate_next() when the timer is cancelled, ensuring the session is deactivated and the refcount is properly released. The patch is available in the stable kernel tree and has been backported to affected versions. Users are advised to apply the latest kernel updates to remediate this vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.4,<5.10.249
- cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/1809c82aa073a11b7d335ae932d81ce51a588a4anvdPatch
- git.kernel.org/stable/c/6121b7564c725b632ffe4764abe85aa239d37703nvdPatch
- git.kernel.org/stable/c/809a437e27a3bf3c1c6c8c157773635552116f2bnvdPatch
- git.kernel.org/stable/c/a73e7d7e346dae1c22dc3e95b02ca464b12daf2cnvdPatch
- git.kernel.org/stable/c/adabf01c19561e42899da9de56a6a1da0e6b8a5bnvdPatch
- git.kernel.org/stable/c/b1d67607e97d489c0cfbbf55f48a76b00710b0e4nvdPatch
- git.kernel.org/stable/c/cb2a610867bc379988bae0bb4b8bbc59c0decf1anvdPatch
News mentions
0No linked articles in our index yet.