CVE-2026-22997
Published: 25 January 2026
Summary
CVE-2026-22997 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-22997 is a reference count leak vulnerability in the Linux kernel's CAN J1939 implementation, specifically within the function j1939_xtp_rx_rts_session_active(). The issue arises because j1939_session_deactivate_activate_next() is only invoked in j1939_tp_rxtimer() when the timer is enabled, but not when the timer is cancelled upon receiving a second RTS frame. This leads to a persistent reference count on the j1939_session object, manifesting as errors like "unregister_netdevice: waiting for vcan0 to become free. Usage count = 2." The vulnerability affects the net/can/j1939 subsystem and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated attacker with network access can exploit this vulnerability by sending crafted J1939 RTS frames to a vulnerable Linux kernel instance using the CAN J1939 protocol. Successful exploitation results in a denial of service through resource exhaustion, as leaked session references prevent proper cleanup of virtual CAN devices like vcan0 during network device unregistration.
Mitigation requires applying the relevant stable kernel patches, available at the following commit URLs: https://git.kernel.org/stable/c/1809c82aa073a11b7d335ae932d81ce51a588a4a, https://git.kernel.org/stable/c/6121b7564c725b632ffe4764abe85aa239d37703, https://git.kernel.org/stable/c/809a437e27a3bf3c1c6c8c157773635552116f2b, https://git.kernel.org/stable/c/a73e7d7e346dae1c22dc3e95b02ca464b12daf2c, and https://git.kernel.org/stable/c/adabf01c19561e42899da9de56a6a1da0e6b8a5b. These commits ensure session deactivation occurs even when the timer is cancelled.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4637
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we…
more
cancelled the timer. Otherwise, refcount for j1939_session leaks, which will later appear as | unregister_netdevice: waiting for vcan0 to become free. Usage count = 2. problem.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of kernel protocol handler for resource exhaustion DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely application of kernel patches that ensure j1939_session_deactivate_activate_next() is called upon timer cancellation to prevent reference count leaks.
Prevents exploitation by restricting the kernel to least functionality, such as disabling the non-essential CAN J1939 module to eliminate the vulnerable code path.
Protects against denial-of-service from resource exhaustion by safeguarding kernel resources like network device references from unauthorized depletion due to the session leak.