Skip to main content

Linux EUVDEUVD-2026-15342

| CVE-2026-23362 MEDIUM
Improper Locking (CWE-667)
2026-03-25 Linux GHSA-57pc-f5j8-25x4
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 18:22 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15342
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

can: bcm: fix locking for bcm_op runtime updates

Commit c2aba69d0c36 ("can: bcm: add locking for bcm_op runtime updates") added a locking for some variables that can be modified at runtime when updating the sending bcm_op with a new TX_SETUP command in bcm_tx_setup().

Usually the RX_SETUP only handles and filters incoming traffic with one exception: When the RX_RTR_FRAME flag is set a predefined CAN frame is sent when a specific RTR frame is received. Therefore the rx bcm_op uses bcm_can_tx() which uses the bcm_tx_lock that was only initialized in bcm_tx_setup(). Add the missing spin_lock_init() when allocating the bcm_op in bcm_rx_setup() to handle the RTR case properly.

AnalysisAI

A locking initialization vulnerability exists in the Linux kernel's CAN BCM (Broadcast Manager) socket implementation where the bcm_tx_lock spinlock is not properly initialized in the RX setup path, creating a race condition when RX_RTR_FRAME flag processing attempts to transmit frames. This affects all Linux kernel versions with the vulnerable CAN BCM code, and while no public exploit is known, the vulnerability could lead to kernel memory corruption or denial of service if the uninitialized lock is accessed during concurrent RTR frame handling.

Technical ContextAI

The vulnerability resides in the Linux kernel's CAN (Controller Area Network) Broadcast Manager module (net/can/bcm.c), which handles high-level CAN message filtering and transmission. The CAN BCM socket implementation supports both RX_SETUP (receive configuration) and TX_SETUP (transmit configuration) operations. The RX_SETUP path normally only handles incoming traffic filtering, but includes a special case: when the RX_RTR_FRAME flag is set, the kernel must send a predefined CAN frame in response to a Remote Transmission Request (RTR) frame. This transmission path uses the bcm_can_tx() function, which requires the bcm_tx_lock spinlock for thread-safe access to shared transmission state. However, while commit c2aba69d0c36 added proper spinlock initialization in the TX_SETUP path (bcm_tx_setup function), the corresponding initialization was omitted from the RX_SETUP path (bcm_rx_setup function), leaving the spinlock uninitialized when RTR frame transmission occurs. This is classified as a synchronization primitive initialization failure (CWE-667) where a critical synchronization mechanism lacks proper setup, creating potential use-before-init conditions.

RemediationAI

Update the Linux kernel to a version that includes the fix by upgrading to the latest stable release for your kernel series. For example, if running kernel 6.6.x, upgrade to 6.6.y where y is the first version containing commit 8215ba7bc99e84e66fd6938874ec4330a9d96518 or later. Users can verify their kernel includes the fix by checking if net/can/bcm.c in their kernel source contains spin_lock_init(&op->lock) in the bcm_rx_setup() function. Until patching is possible, if CAN BCM functionality is not required, disable the CONFIG_CAN_BCM kernel module to eliminate the attack surface. For systems that require CAN functionality, restrict access to CAN sockets through AppArmor, SELinux, or other mandatory access control mechanisms to limit exposure to local attackers. Kernel patches are available in the stable git repositories referenced at https://git.kernel.org/stable/ and have been distributed through standard Linux distribution security update channels.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15342 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy