{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23357", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.000Z", "datePublished": "2026-03-25T10:27:41.299Z", "dateUpdated": "2026-05-11T22:05:18.120Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:05:18.120Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcp251x: fix deadlock in error path of mcp251x_open\n\nThe mcp251x_open() function call free_irq() in its error path with the\nmpc_lock mutex held. But if an interrupt already occurred the\ninterrupt handler will be waiting for the mpc_lock and free_irq() will\ndeadlock waiting for the handler to finish.\n\nThis issue is similar to the one fixed in commit 7dd9c26bd6cf (\"can:\nmcp251x: fix deadlock if an interrupt occurs during mcp251x_open\") but\nfor the error path.\n\nTo solve this issue move the call to free_irq() after the lock is\nreleased. Setting `priv->force_quit = 1` beforehand ensure that the IRQ\nhandler will exit right away once it acquired the lock."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/spi/mcp251x.c"], "versions": [{"version": "bf66f3736a945dd4e92d86427276c6eeab0a6c1d", "lessThan": "739454057572cb0948658d1142f3fa2c6966465c", "status": "affected", "versionType": "git"}, {"version": "bf66f3736a945dd4e92d86427276c6eeab0a6c1d", "lessThan": "416c18ecddafab0ed09be1e7b9d2f448f3d4db16", "status": "affected", "versionType": "git"}, {"version": "bf66f3736a945dd4e92d86427276c6eeab0a6c1d", "lessThan": "256f0cff6e946c570392bda1d01a65e789a7afd0", "status": "affected", "versionType": "git"}, {"version": "bf66f3736a945dd4e92d86427276c6eeab0a6c1d", "lessThan": "b73832292cd914e87a55e863ba4413a907e7db6b", "status": "affected", "versionType": "git"}, {"version": "bf66f3736a945dd4e92d86427276c6eeab0a6c1d", "lessThan": "38063cc435b69d56e76f947c10d336fcb2953508", "status": "affected", "versionType": "git"}, {"version": "bf66f3736a945dd4e92d86427276c6eeab0a6c1d", "lessThan": "d27f12c3f5e85efc479896af4a69eccb37f75e8e", "status": "affected", "versionType": "git"}, {"version": "bf66f3736a945dd4e92d86427276c6eeab0a6c1d", "lessThan": "e728f444c913a91d290d1824b4770780bbd6378e", "status": "affected", "versionType": "git"}, {"version": "bf66f3736a945dd4e92d86427276c6eeab0a6c1d", "lessThan": "ab3f894de216f4a62adc3b57e9191888cbf26885", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/spi/mcp251x.c"], "versions": [{"version": "2.6.34", "status": "affected"}, {"version": "0", "lessThan": "2.6.34", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/739454057572cb0948658d1142f3fa2c6966465c"}, {"url": "https://git.kernel.org/stable/c/416c18ecddafab0ed09be1e7b9d2f448f3d4db16"}, {"url": "https://git.kernel.org/stable/c/256f0cff6e946c570392bda1d01a65e789a7afd0"}, {"url": "https://git.kernel.org/stable/c/b73832292cd914e87a55e863ba4413a907e7db6b"}, {"url": "https://git.kernel.org/stable/c/38063cc435b69d56e76f947c10d336fcb2953508"}, {"url": "https://git.kernel.org/stable/c/d27f12c3f5e85efc479896af4a69eccb37f75e8e"}, {"url": "https://git.kernel.org/stable/c/e728f444c913a91d290d1824b4770780bbd6378e"}, {"url": "https://git.kernel.org/stable/c/ab3f894de216f4a62adc3b57e9191888cbf26885"}], "title": "can: mcp251x: fix deadlock in error path of mcp251x_open", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8124DB0-E974-47F7-A4CE-1F4CEA46F14B", "versionEndExcluding": "5.10.253", "versionStartIncluding": "2.6.34.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43", "versionEndExcluding": "6.1.167", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5", "versionEndExcluding": "6.12.77", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.34:-:*:*:*:*:*:*", "matchCriteriaId": "A3B1BC1D-ED46-4364-A1D9-1FA74182B03A", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcp251x: fix deadlock in error path of mcp251x_open\n\nThe mcp251x_open() function call free_irq() in its error path with the\nmpc_lock mutex held. But if an interrupt already occurred the\ninterrupt handler will be waiting for the mpc_lock and free_irq() will\ndeadlock waiting for the handler to finish.\n\nThis issue is similar to the one fixed in commit 7dd9c26bd6cf (\"can:\nmcp251x: fix deadlock if an interrupt occurs during mcp251x_open\") but\nfor the error path.\n\nTo solve this issue move the call to free_irq() after the lock is\nreleased. Setting `priv->force_quit = 1` beforehand ensure that the IRQ\nhandler will exit right away once it acquired the lock."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ncan: mcp251x: corregir interbloqueo en la ruta de error de mcp251x_open\n\nLa funci\u00f3n mcp251x_open() llama a free_irq() en su ruta de error con el mutex mpc_lock retenido. Pero si ya ocurri\u00f3 una interrupci\u00f3n, el gestor de interrupciones estar\u00e1 esperando por el mpc_lock y free_irq() se interbloquear\u00e1 esperando a que el gestor termine.\n\nEste problema es similar al resuelto en el commit 7dd9c26bd6cf ('can: mcp251x: corregir interbloqueo si ocurre una interrupci\u00f3n durante mcp251x_open') pero para la ruta de error.\n\nPara resolver este problema, mueva la llamada a free_irq() despu\u00e9s de que se libere el bloqueo. Establecer `priv->force_quit = 1` de antemano asegura que el gestor IRQ saldr\u00e1 de inmediato una vez que haya adquirido el bloqueo."}], "id": "CVE-2026-23357", "lastModified": "2026-04-24T19:04:35.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T11:16:34.450", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/256f0cff6e946c570392bda1d01a65e789a7afd0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/38063cc435b69d56e76f947c10d336fcb2953508"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/416c18ecddafab0ed09be1e7b9d2f448f3d4db16"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/739454057572cb0948658d1142f3fa2c6966465c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ab3f894de216f4a62adc3b57e9191888cbf26885"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b73832292cd914e87a55e863ba4413a907e7db6b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d27f12c3f5e85efc479896af4a69eccb37f75e8e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e728f444c913a91d290d1824b4770780bbd6378e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: can: mcp251x: fix deadlock in error path of mcp251x_open", "id": "2451265", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451265"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-833", "details": ["A flaw was found in the Linux kernel's mcp251x Controller Area Network (CAN) driver. A local attacker could trigger a deadlock condition within the `mcp251x_open()` function's error handling path. This occurs when the `free_irq()` function is called while the `mpc_lock` mutex is held and an interrupt simultaneously occurs, causing the interrupt handler to wait for the same lock. This can lead to a system hang, resulting in a denial of service."], "name": "CVE-2026-23357", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23357\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23357\nhttps://lore.kernel.org/linux-cve-announce/2026032538-CVE-2026-23357-605e@gregkh/T"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bf66f3736a945dd4e92d86427276c6eeab0a6c1d,256f0cff6e946c570392bda1d01a65e789a7afd0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bf66f3736a945dd4e92d86427276c6eeab0a6c1d,b73832292cd914e87a55e863ba4413a907e7db6b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bf66f3736a945dd4e92d86427276c6eeab0a6c1d,38063cc435b69d56e76f947c10d336fcb2953508)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bf66f3736a945dd4e92d86427276c6eeab0a6c1d,d27f12c3f5e85efc479896af4a69eccb37f75e8e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bf66f3736a945dd4e92d86427276c6eeab0a6c1d,e728f444c913a91d290d1824b4770780bbd6378e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bf66f3736a945dd4e92d86427276c6eeab0a6c1d,ab3f894de216f4a62adc3b57e9191888cbf26885)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.34"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.34)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T17:05:24.145769+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the mcp251x deadlock fix (committed in 2026\u201103).", "No specific workaround is available; avoid operations that trigger CAN controller initialization until an update is applied.", "If a deadlock occurs due to the faulty driver, reboot the system to restore kernel operation."], "summary": {"action": "Immediate Patch", "impact": "Deadlock causing kernel stall"}, "threat_synthesis": {"affected_systems": "The affected system is the Linux kernel. No specific kernel version numbers are listed in the available data, so any kernel that includes the mcp251x CAN driver before it was patched is potentially vulnerable. Users should verify whether their kernel contains the commit that introduced the fix or have performed a recent kernel update.", "description_and_impact": "The vulnerability appears in the mcp251x CAN controller driver in the Linux kernel. During an error path in the mcp251x_open function, the driver calls free_irq while holding the mpc_lock mutex. If an interrupt has already occurred, the handler waits for the same mutex, resulting in a deadlock that stalls the kernel. This can lead to a denial\u2011of\u2011service condition, potentially making the system unresponsive or requiring a reboot. The weakness involves concurrency deadlock (CWE\u2011667) and resource management errors (CWE\u2011833).", "risk_and_exploitability": "The CVSS base score of 5.5 indicates moderate severity. EPSS shows a probability of less than 1\u202f%, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting it is not widely exploited. Attack vectors that can exploit this vulnerability appear to require local or privileged access to trigger the driver during a failing open operation, so it is not a remote exploit. Nevertheless, a local attacker who can manipulate the CAN controller could potentially cause the kernel to stall if the device generates an interrupt while the driver is trying to release its IRQ resources. The weakness involves concurrency deadlock (CWE\u2011667) and resource management errors (CWE\u2011833)."}}}}, "created": "2026-03-25T21:31:58.463789+00:00", "updated": "2026-04-28T17:15:21.239017+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}