Description
In the Linux kernel, the following vulnerability has been resolved:

net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts

Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is
called only when the timer is enabled, we need to call
j1939_session_deactivate_activate_next() if we cancelled the timer.
Otherwise, refcount for j1939_session leaks, which will later appear as

| unregister_netdevice: waiting for vcan0 to become free. Usage count = 2.

problem.
Published: 2026-01-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Resource Leak leading to potential denial of service
Action: Apply patch
AI Analysis

Impact

A bug in the Linux kernel CAN J1939 driver prevents the j1939_session from being deactivated when a second request-to-send (RTS) frame is received. The omission of a necessary call causes the session reference count to leak, which later manifests as errors such as "unregister_netdevice: waiting for vcan0 to become free. Usage count = 2." The leaked reference count can keep a virtual CAN device from being reclaimed, leading to resource exhaustion or a denial of service on the affected system.

Affected Systems

The flaw affects the Linux kernel, specifically the 6.19 release candidate series (rc1 through rc5). Vendors delivering kernels from this series are impacted.

Risk and Exploitability

The CVSS score is 5.5, indicating moderate severity. The EPSS score is below 1%, implying a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, so there is no known widespread exploitation. The attack requires local or fragment-level access to send CAN J1939 frames to a device; it is not exploitable over the network. In practice, an attacker would need to inject malformed or excessive RTS frames on a host that has active CAN interfaces, and the impact would be a gradual depletion of reference counts and eventual kernel or device unavailability.

Generated by OpenCVE AI on April 18, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that adds a call to j1939_session_deactivate_activate_next() in net/can/j1939/impl.c
  • Upgrade to Linux kernel 6.19 rc6 or later where the fix is included
  • If upgrade is not immediately possible, disable the CAN subsystem or remove vcan devices until the patch can be applied
  • Monitor kernel logs for "unregister_netdevice: waiting for vcan" warnings to detect ongoing leaks

Generated by OpenCVE AI on April 18, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4475-1 linux security update
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8162-1 Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8186-1 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8187-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8188-1 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-4 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-5 Linux kernel (IBM) vulnerabilities
History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Sat, 18 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-248
CWE-795

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*

Fri, 06 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
References

Fri, 30 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
References

Tue, 27 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Sun, 25 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we cancelled the timer. Otherwise, refcount for j1939_session leaks, which will later appear as | unregister_netdevice: waiting for vcan0 to become free. Usage count = 2. problem.
Title net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-27T14:02:02.211Z

Reserved: 2026-01-13T15:37:45.938Z

Link: CVE-2026-22997

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-01-25T15:15:54.540

Modified: 2026-04-27T14:16:28.440

Link: CVE-2026-22997

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-25T00:00:00Z

Links: CVE-2026-22997 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:15:03Z

Weaknesses