CVE-2026-22997 Linux CVE debrief

Who should care

System administrators and security teams responsible for Linux-based systems, especially those using CAN (Controller Area Network) J1939 protocol, should be aware of this vulnerability. This includes industries that rely on Linux-based devices for automotive, industrial automation, and other applications where CAN J1939 is used.

Technical summary

The vulnerability is located in the j1939_xtp_rx_rts_session_active() function of the Linux kernel's CAN J1939 protocol implementation. When a second RTS message is received for an active session, the session is not properly deactivated, leading to a use-after-free condition. This can cause a reference count leak for the j1939_session, potentially resulting in issues such as network device unregistration failures.

Defensive priority

High

Recommended defensive actions

• Apply the patches provided by Linux kernel maintainers to address the vulnerability.
• Update Linux kernel to a version that includes the fixes, such as 5.10.249, 5.15.199, 6.1.162, 6.6.122, 6.12.67, or later.
• Implement additional monitoring and logging to detect potential exploitation attempts.
• Restrict access to CAN J1939 protocol interfaces to minimize the attack surface.
• Consider implementing a Web Application Firewall (WAF) or network traffic filtering to detect and block suspicious traffic.

Evidence notes

The information provided is based on the CVE-2026-22997 record and related patches from the Linux kernel repository. The vulnerability has been addressed by Linux kernel maintainers with a series of patches.

Official resources