Bug 2432657 (CVE-2026-22997)

Summary: CVE-2026-22997 kernel: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A reference count leak vulnerability was found in the Linux kernel's CAN J1939 protocol implementation. When a second RTS (Request To Send) message is received on an active session and the timer is cancelled, j1939_session_deactivate_activate_next() is not called, causing the j1939_session reference count to leak. This prevents the network device from being unregistered, resulting in "waiting for vcan0 to become free" messages.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-01-25 15:01:23 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts

Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is
called only when the timer is enabled, we need to call
j1939_session_deactivate_activate_next() if we cancelled the timer.
Otherwise, refcount for j1939_session leaks, which will later appear as

| unregister_netdevice: waiting for vcan0 to become free. Usage count = 2.

problem.
Comment 1 Alexander B 2026-01-26 08:54:35 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026012533-CVE-2026-22997-42ca@gregkh/T