Cyber Resilience

CVE-2026-22997

High

Published: 25 January 2026

Published
25 January 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 5.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22997 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-22997 is a reference count leak vulnerability in the Linux kernel's CAN J1939 implementation, specifically within the function j1939_xtp_rx_rts_session_active(). The issue arises because j1939_session_deactivate_activate_next() is only invoked in j1939_tp_rxtimer() when the timer is enabled, but not when the timer is cancelled upon receiving a second RTS frame. This leads to a persistent reference count on the j1939_session object, manifesting as errors like "unregister_netdevice: waiting for vcan0 to become free. Usage count = 2." The vulnerability affects the net/can/j1939 subsystem and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Any unauthenticated attacker with network access can exploit this vulnerability by sending crafted J1939 RTS frames to a vulnerable Linux kernel instance using the CAN J1939 protocol. Successful exploitation results in a denial of service through resource exhaustion, as leaked session references prevent proper cleanup of virtual CAN devices like vcan0 during network device unregistration.

Mitigation requires applying the relevant stable kernel patches, available at the following commit URLs: https://git.kernel.org/stable/c/1809c82aa073a11b7d335ae932d81ce51a588a4a, https://git.kernel.org/stable/c/6121b7564c725b632ffe4764abe85aa239d37703, https://git.kernel.org/stable/c/809a437e27a3bf3c1c6c8c157773635552116f2b, https://git.kernel.org/stable/c/a73e7d7e346dae1c22dc3e95b02ca464b12daf2c, and https://git.kernel.org/stable/c/adabf01c19561e42899da9de56a6a1da0e6b8a5b. These commits ensure session deactivation occurs even when the timer is cancelled.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we…

more

cancelled the timer. Otherwise, refcount for j1939_session leaks, which will later appear as | unregister_netdevice: waiting for vcan0 to become free. Usage count = 2. problem.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1498 Network Denial of Service Impact
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Why these techniques?

Remote unauthenticated network exploitation of kernel protocol handler for resource exhaustion DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31649Same product: Linux Linux Kernel
CVE-2026-31668Same product: Linux Linux Kernel
CVE-2026-23455Same product: Linux Linux Kernel
CVE-2026-43186Same product: Linux Linux Kernel
CVE-2026-22984Same product: Linux Linux Kernel
CVE-2026-31414Same product: Linux Linux Kernel
CVE-2026-43037Same product: Linux Linux Kernel
CVE-2026-43055Same product: Linux Linux Kernel
CVE-2026-31718Same product: Linux Linux Kernel
CVE-2026-31478Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19 · 5.4 — 5.10.249 · 5.11 — 5.15.199 · 5.16 — 6.1.162

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely application of kernel patches that ensure j1939_session_deactivate_activate_next() is called upon timer cancellation to prevent reference count leaks.

prevent

Prevents exploitation by restricting the kernel to least functionality, such as disabling the non-essential CAN J1939 module to eliminate the vulnerable code path.

prevent

Protects against denial-of-service from resource exhaustion by safeguarding kernel resources like network device references from unauthorized depletion due to the session leak.

References