#VU124486 On-Chip Debug and Test Interface With Improper Access Control in Linux kernel - CVE-2026-23357
Published: March 25, 2026
Vulnerability identifier: #VU124486
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23357
CWE-ID: CWE-1191
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper sequence of operations in the mcp251x CAN driver when handling error paths during device open. A local user can trigger the mcp251x_open function error path, which calls free_irq() while holding the mpc_lock mutex, leading to a deadlock if an interrupt is pending, resulting in a denial of service.
Exploitation requires access to the CAN device interface and the ability to trigger the error path in mcp251x_open.
Remediation
Install security update from vendor's repository.
External links
- https://git.kernel.org/stable/c/256f0cff6e946c570392bda1d01a65e789a7afd0
- https://git.kernel.org/stable/c/38063cc435b69d56e76f947c10d336fcb2953508
- https://git.kernel.org/stable/c/ab3f894de216f4a62adc3b57e9191888cbf26885
- https://git.kernel.org/stable/c/b73832292cd914e87a55e863ba4413a907e7db6b
- https://git.kernel.org/stable/c/d27f12c3f5e85efc479896af4a69eccb37f75e8e
- https://git.kernel.org/stable/c/e728f444c913a91d290d1824b4770780bbd6378e