DEBIAN-CVE-2026-23362
In the Linux kernel, the following vulnerability has been resolved: can: bcm: fix locking for bcm_op runtime updates Commit c2aba69d0c36 ("can: bcm: add locking for bcm_op runtime updates") added a locking for some variables that can be modified at runtime when updating the sending bcm_op with a new TX_SETUP command in bcm_tx_setup(). Usually the RX_SETUP only handles and filters incoming traffic with one exception: When the RX_RTR_FRAME flag is set a predefined CAN frame is sent when a specific RTR frame is received. Therefore the rx bcm_op uses bcm_can_tx() which uses the bcm_tx_lock that was only initialized in bcm_tx_setup(). Add the missing spin_lock_init() when allocating the bcm_op in bcm_rx_setup() to handle the RTR case properly.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | linux-6.1 | 6.1.164-1, 6.1.162-1, 6.1.159-1 |
| Debian:12 | linux | 6.12.9-1~bpo12+1, 6.12~rc6-1~exp1, 6.13.10-1~exp1 |
| Debian:13 | linux | 6.12.43-1~bpo12+1, 6.12.41-1, 6.12.38-1 |
| Debian:14 | linux | 6.13.3-1, 6.13.4-1, 6.13.5-1 |
| Debian:11 | linux | 6.1.38-2, 6.1.38-3, 6.1.38-4 |
Exploit Intelligence
- 4593.2.0.yml (github-poc)
- 4628.1.0.yml (github-poc)
- 2026-05-06_426_linux-signed-amd64.yaml (github-poc)
Timeline
- Mar 25, 2026 CVE Published
- May 2, 2026 CVE Updated