CVE-2026-22997 Overview
A memory leak vulnerability has been identified in the Linux kernel's J1939 CAN protocol implementation. The flaw exists in the j1939_xtp_rx_rts_session_active() function, which fails to properly deactivate sessions when receiving a second Request to Send (RTS) message. This leads to reference count leaks for j1939_session objects, ultimately preventing network device cleanup and causing system resource exhaustion.
Critical Impact
This vulnerability can cause network devices to become unfreeable, leading to system hangs with "unregister_netdevice: waiting for vcan0 to become free" errors and potential denial of service conditions on affected Linux systems using J1939 CAN bus communication.
Affected Products
- Linux kernel with J1939 CAN protocol support enabled
- Systems using virtual CAN (vcan) interfaces with J1939
- Industrial and automotive Linux deployments utilizing SAE J1939 protocol
Discovery Timeline
- 2026-01-25 - CVE CVE-2026-22997 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2026-22997
Vulnerability Analysis
The vulnerability stems from improper session lifecycle management in the J1939 transport protocol implementation. When the j1939_tp_rxtimer() function calls j1939_session_deactivate_activate_next(), this only occurs when the timer is enabled. However, when a second RTS (Request to Send) message is received during an active session, the timer may be cancelled without properly calling the deactivation function.
This creates a scenario where the j1939_session reference count is not decremented appropriately, causing a reference count leak. The leaked references prevent the associated network device from being properly unregistered, manifesting as the system waiting indefinitely for the device to become free with usage count errors.
Root Cause
The root cause is a missing call to j1939_session_deactivate_activate_next() when the timer is cancelled upon receiving a second RTS message. The original implementation assumed the timer callback would always handle session deactivation, but this assumption fails when the timer is explicitly cancelled. The fix ensures that session deactivation is called directly when the timer is cancelled, maintaining proper reference counting regardless of the timer state.
Attack Vector
An attacker or misconfigured device on a CAN bus network could trigger this vulnerability by sending multiple RTS messages to an active J1939 session. The vulnerability manifests through the following mechanism:
- An initial J1939 transport session is established with an RTS message
- A second RTS message is sent while the first session is still active
- The timer associated with the first session is cancelled
- The session deactivation function is not called, leaking the reference
- Repeated exploitation leads to resource exhaustion
The exploitation pattern results in the kernel waiting indefinitely for the network device reference count to drop to zero, effectively creating a denial of service condition. Technical details of the fix can be found in the kernel git commits.
Detection Methods for CVE-2026-22997
Indicators of Compromise
- Kernel log messages containing "unregister_netdevice: waiting for vcan0 to become free. Usage count = 2"
- Persistent network devices that cannot be removed or unregistered
- Gradual memory increase associated with j1939_session objects
- System hangs during network interface cleanup or shutdown operations
Detection Strategies
- Monitor kernel logs for "unregister_netdevice: waiting for" messages indicating stuck network devices
- Track j1939_session memory allocations using kernel memory debugging tools like kmemleak
- Implement network device reference count monitoring on systems with J1939 CAN support
- Use ss or netstat to identify lingering CAN socket connections
Monitoring Recommendations
- Enable kernel memory leak detection during development and testing phases
- Deploy monitoring for CAN bus traffic anomalies including duplicate RTS messages
- Set up alerting for network device cleanup timeouts in production environments
- Regularly audit systems running J1939 workloads for memory growth patterns
How to Mitigate CVE-2026-22997
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix commits
- If immediate patching is not possible, consider temporarily disabling J1939 CAN protocol support if not required
- Monitor affected systems for signs of resource exhaustion and schedule reboots if necessary
- Review CAN bus network segmentation to limit exposure to potentially malicious traffic
Patch Information
The vulnerability has been addressed through kernel patches available in the stable kernel tree. The fix ensures that j1939_session_deactivate_activate_next() is called when the timer is cancelled, properly managing the session reference count. The patches are available through the following kernel git commits:
- Commit 1809c82aa073a11b7d335ae932d81ce51a588a4a
- Commit 6121b7564c725b632ffe4764abe85aa239d37703
- Commit cb2a610867bc379988bae0bb4b8bbc59c0decf1a
Workarounds
- Disable J1939 CAN protocol module (can-j1939) if not actively required using modprobe -r can-j1939
- Implement CAN bus traffic filtering to prevent duplicate RTS messages from reaching affected systems
- Deploy network isolation for J1939-enabled interfaces to limit attack surface
- Schedule regular system maintenance windows to clear any accumulated leaked resources
# Configuration example
# Disable J1939 CAN module if not required
sudo modprobe -r can-j1939
# Blacklist the module to prevent automatic loading
echo "blacklist can-j1939" | sudo tee /etc/modprobe.d/blacklist-j1939.conf
# Verify module is not loaded
lsmod | grep j1939
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
