HIGH
can/j1939 Session Leak
CVE-2026-22997
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
KernelScan AI6.2MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we cancelled the timer. Otherwise, refcount for j1939_session leaks, which will later appear as | unregister_netdevice: waiting for vcan0 to become free. Usage count = 2. problem.
02KernelScan AI Analysis
Risk summary
Systems with CAN bus interfaces running the J1939 protocol are vulnerable to a kernel resource leak. An attacker on the same CAN bus can cause a j1939_session refcount leak by sending a duplicate RTS during an active session, eventually preventing network interface teardown and causing denial of service.
Vulnerability analysis
The vulnerability exists in the J1939 transport protocol receive path. When a second RTS (Request to Send) message arrives while a session is already active, the code cancels the session timer and aborts the current session, but fails to call j1939_session_deactivate_activate_next() for receiver sessions in the WAITING_ABORT state. This omits the necessary refcount decrement, causing the session object to leak. The leak accumulates and ultimately prevents the CAN network interface from being unregistered (e.g., during shutdown or module unload), resulting in a persistent denial of service. The fix adds the missing deactivation call for the receiver path when the timer is cancelled by the second RTS.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.249 | a73e7d7e346d |
| 5.15 | 5.15.199 | adabf01c1956 |
| 6.1 | 6.1.162 | b1d67607e97d |
| 6.12 | 6.12.67 | cb2a610867bc |
| 6.18 | 6.18.7 | 6121b7564c72 |
| 6.6 | 6.6.122 | 809a437e27a3 |
| mainline | 6.19 | 1809c82aa073 |