Updated: 2026-02-26
Description:
In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we cancelled the timer. Otherwise, refcount for j1939_session leaks, which will later appear as | unregister_netdevice: waiting for vcan0 to become free. Usage count = 2. problem. A reference count leak vulnerability was found in the Linux kernel's CAN J1939 protocol implementation. When a second RTS (Request To Send) message is received on an active session and the timer is cancelled, j1939_session_deactivate_activate_next() is not called, causing the j1939_session reference count to leak. This prevents the network device from being unregistered, resulting in "waiting for vcan0 to become free" messages.
CVSS3: 5.5
| OS | Vendor version | Errata |
|---|---|---|
| Debian 11 | 5.10.249-1 | DLA-4475-1 |
| Debian 11 cloud | 5.10.249-1 | DLA-4475-1 |
| Debian 12 | 6.1.162-1 | DSA-6127-1 |
| OS | Original kernel version | State |
|---|---|---|
| Debian 11 | |
Will Not Fix |
| Debian 11 cloud | |
Will Not Fix |
| Debian 12 | |
Planned |