CVE-2026-23357 - Vulnerability Details

- can: mcp251x: fix deadlock in error path of mcp251x_open

Description

In the Linux kernel, the following vulnerability has been resolved:

can: mcp251x: fix deadlock in error path of mcp251x_open

The mcp251x_open() function call free_irq() in its error path with the
mpc_lock mutex held. But if an interrupt already occurred the
interrupt handler will be waiting for the mpc_lock and free_irq() will
deadlock waiting for the handler to finish.

This issue is similar to the one fixed in commit 7dd9c26bd6cf ("can:
mcp251x: fix deadlock if an interrupt occurs during mcp251x_open") but
for the error path.

To solve this issue move the call to free_irq() after the lock is
released. Setting `priv->force_quit = 1` beforehand ensure that the IRQ
handler will exit right away once it acquired the lock.

Published: 2026-03-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability appears in the mcp251x CAN controller driver in the Linux kernel. During an error path in the mcp251x_open function, the driver calls free_irq while holding the mpc_lock mutex. If an interrupt has already occurred, the handler waits for the same mutex, resulting in a deadlock that stalls the kernel. This can lead to a denial‑of‑service condition, potentially making the system unresponsive or requiring a reboot. The weakness falls under CWEs that involve deadlocks (CWE‑833).

Affected Systems

The affected system is the Linux kernel. No specific kernel version numbers are listed in the available data, so any kernel that includes the mcp251x CAN driver before it was patched is potentially vulnerable. Users should verify whether their kernel contains the commit that introduced the fix or have performed a recent kernel update.

Risk and Exploitability

The CVSS base score of 5.5 indicates moderate severity. EPSS shows a probability of less than 1 %, and the vulnerability is not listed in CISA’s KEV catalog, suggesting it is not widely exploited. Attack vectors that can exploit this vulnerability appear to require local or privileged access to trigger the driver during a failing open operation, so it is not a remote exploit. Nevertheless, a local attacker who can manipulate the CAN controller could potentially cause the kernel to stall if the device generates an interrupt while the driver is trying to release its IRQ resources.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`bf66f3736a945dd4e92d86427276c6eeab0a6c1d`	affected	< 739454057572cb0948658d1142f3fa2c6966465c
`bf66f3736a945dd4e92d86427276c6eeab0a6c1d`	affected	< 416c18ecddafab0ed09be1e7b9d2f448f3d4db16
`bf66f3736a945dd4e92d86427276c6eeab0a6c1d`	affected	< 256f0cff6e946c570392bda1d01a65e789a7afd0
`bf66f3736a945dd4e92d86427276c6eeab0a6c1d`	affected	< b73832292cd914e87a55e863ba4413a907e7db6b
`bf66f3736a945dd4e92d86427276c6eeab0a6c1d`	affected	< 38063cc435b69d56e76f947c10d336fcb2953508
`bf66f3736a945dd4e92d86427276c6eeab0a6c1d`	affected	< d27f12c3f5e85efc479896af4a69eccb37f75e8e
`bf66f3736a945dd4e92d86427276c6eeab0a6c1d`	affected	< e728f444c913a91d290d1824b4770780bbd6378e
`bf66f3736a945dd4e92d86427276c6eeab0a6c1d`	affected	< ab3f894de216f4a62adc3b57e9191888cbf26885

Linux

affected

Version	Status	Constraints
`2.6.34`	affected	—
`0`	unaffected	< 2.6.34
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.77`	unaffected	≤ 6.12.*
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[bf66f3736a945dd4e92d86427276c6eeab0a6c1d,256f0cff6e946c570392bda1d01a65e789a7afd0)`	affected	code_commit	—
`[bf66f3736a945dd4e92d86427276c6eeab0a6c1d,b73832292cd914e87a55e863ba4413a907e7db6b)`	affected	code_commit	—
`[bf66f3736a945dd4e92d86427276c6eeab0a6c1d,38063cc435b69d56e76f947c10d336fcb2953508)`	affected	code_commit	—
`[bf66f3736a945dd4e92d86427276c6eeab0a6c1d,d27f12c3f5e85efc479896af4a69eccb37f75e8e)`	affected	code_commit	—
`[bf66f3736a945dd4e92d86427276c6eeab0a6c1d,e728f444c913a91d290d1824b4770780bbd6378e)`	affected	code_commit	—
`[bf66f3736a945dd4e92d86427276c6eeab0a6c1d,ab3f894de216f4a62adc3b57e9191888cbf26885)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.34`	affected	semver	—
`[0,2.6.34)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.77,6.13.0)`	unaffected	semver	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc3,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the mcp251x deadlock fix (committed in 2026‑03).
No specific workaround is available; avoid operations that trigger CAN controller initialization until an update is applied.

Generated by OpenCVE AI on March 26, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/256f0cff6e946c570392bda1d01a65e789a7afd0
https://git.kernel.org/stable/c/38063cc435b69d56e76f947c10d336fcb2953508
https://git.kernel.org/stable/c/416c18ecddafab0ed09be1e7b9d2f448f3d4db16
https://git.kernel.org/stable/c/739454057572cb0948658d1142f3fa2c6966465c
https://git.kernel.org/stable/c/ab3f894de216f4a62adc3b57e9191888cbf26885
https://git.kernel.org/stable/c/b73832292cd914e87a55e863ba4413a907e7db6b
https://git.kernel.org/stable/c/d27f12c3f5e85efc479896af4a69eccb37f75e8e
https://git.kernel.org/stable/c/e728f444c913a91d290d1824b4770780bbd6378e
https://lore.kernel.org/linux-cve-announce/2026032538-CVE-2026-23357-605e@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23357
https://www.cve.org/CVERecord?id=CVE-2026-23357

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/416c18ecddafab0ed09be1e7b9d2f448f3d4db16 https://git.kernel.org/stable/c/739454057572cb0948658d1142f3fa2c6966465c

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-485

Thu, 26 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-833
References		https://lore.kernel.org/linux-cve-announce/2026032538-CVE-2026-23357-605e@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23357 https://www.cve.org/CVERecord?id=CVE-2026-23357
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-485

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock in error path of mcp251x_open The mcp251x_open() function call free_irq() in its error path with the mpc_lock mutex held. But if an interrupt already occurred the interrupt handler will be waiting for the mpc_lock and free_irq() will deadlock waiting for the handler to finish. This issue is similar to the one fixed in commit 7dd9c26bd6cf ("can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open") but for the error path. To solve this issue move the call to free_irq() after the lock is released. Setting `priv->force_quit = 1` beforehand ensure that the IRQ handler will exit right away once it acquired the lock.
Title		can: mcp251x: fix deadlock in error path of mcp251x_open
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/256f0cff6e946c570392bda1d01a65e789a7afd0 https://git.kernel.org/stable/c/38063cc435b69d56e76f947c10d336fcb2953508 https://git.kernel.org/stable/c/ab3f894de216f4a62adc3b57e9191888cbf26885 https://git.kernel.org/stable/c/b73832292cd914e87a55e863ba4413a907e7db6b https://git.kernel.org/stable/c/d27f12c3f5e85efc479896af4a69eccb37f75e8e https://git.kernel.org/stable/c/e728f444c913a91d290d1824b4770780bbd6378e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:27:41.299Z

Updated: 2026-04-18T08:58:09.426Z

Reserved: 2026-01-13T15:37:46.000Z

Link: CVE-2026-23357

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:34.450

Modified: 2026-04-18T09:16:20.930

Link: CVE-2026-23357

Redhat

Severity : Low

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23357 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:49:19Z

Weaknesses

CWE-833

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object