{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23362", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.002Z", "datePublished": "2026-03-25T10:27:45.476Z", "dateUpdated": "2026-03-25T10:27:45.476Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:45.476Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: fix locking for bcm_op runtime updates\n\nCommit c2aba69d0c36 (\"can: bcm: add locking for bcm_op runtime updates\")\nadded a locking for some variables that can be modified at runtime when\nupdating the sending bcm_op with a new TX_SETUP command in bcm_tx_setup().\n\nUsually the RX_SETUP only handles and filters incoming traffic with one\nexception: When the RX_RTR_FRAME flag is set a predefined CAN frame is\nsent when a specific RTR frame is received. Therefore the rx bcm_op uses\nbcm_can_tx() which uses the bcm_tx_lock that was only initialized in\nbcm_tx_setup(). Add the missing spin_lock_init() when allocating the\nbcm_op in bcm_rx_setup() to handle the RTR case properly."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/can/bcm.c"], "versions": [{"version": "2a437b86ac5a9893c902f30ef66815bf13587bf6", "lessThan": "800f26f11ae37b17f58e0001f28a47dd75c26557", "status": "affected", "versionType": "git"}, {"version": "76c84c3728178b2d38d5604e399dfe8b0752645e", "lessThan": "70e951afad4c025261fe3c952d2b07237e320a01", "status": "affected", "versionType": "git"}, {"version": "cc55dd28c20a6611e30596019b3b2f636819a4c0", "lessThan": "8bcf2d847adb82b2c617456f6da17ac5e6c75285", "status": "affected", "versionType": "git"}, {"version": "c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7", "lessThan": "8215ba7bc99e84e66fd6938874ec4330a9d96518", "status": "affected", "versionType": "git"}, {"version": "c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7", "lessThan": "f0c349b2c21b220af5ba19f29b885e222958d796", "status": "affected", "versionType": "git"}, {"version": "c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7", "lessThan": "c35636e91e392e1540949bbc67932167cb48bc3a", "status": "affected", "versionType": "git"}, {"version": "8f1c022541bf5a923c8d6fa483112c15250f30a4", "status": "affected", "versionType": "git"}, {"version": "7595de7bc56e0e52b74e56c90f7e247bf626d628", "status": "affected", "versionType": "git"}, {"version": "fbd8fdc2b218e979cfe422b139b8f74c12419d1f", "status": "affected", "versionType": "git"}, {"version": "c4e8a172501e677ebd8ea9d9161d97dc4df56fbd", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/can/bcm.c"], "versions": [{"version": "6.15", "status": "affected"}, {"version": "0", "lessThan": "6.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.141", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.93", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.31", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "7.0-rc3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.294"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.238"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.185"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14.9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/800f26f11ae37b17f58e0001f28a47dd75c26557"}, {"url": "https://git.kernel.org/stable/c/70e951afad4c025261fe3c952d2b07237e320a01"}, {"url": "https://git.kernel.org/stable/c/8bcf2d847adb82b2c617456f6da17ac5e6c75285"}, {"url": "https://git.kernel.org/stable/c/8215ba7bc99e84e66fd6938874ec4330a9d96518"}, {"url": "https://git.kernel.org/stable/c/f0c349b2c21b220af5ba19f29b885e222958d796"}, {"url": "https://git.kernel.org/stable/c/c35636e91e392e1540949bbc67932167cb48bc3a"}], "title": "can: bcm: fix locking for bcm_op runtime updates", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: fix locking for bcm_op runtime updates\n\nCommit c2aba69d0c36 (\"can: bcm: add locking for bcm_op runtime updates\")\nadded a locking for some variables that can be modified at runtime when\nupdating the sending bcm_op with a new TX_SETUP command in bcm_tx_setup().\n\nUsually the RX_SETUP only handles and filters incoming traffic with one\nexception: When the RX_RTR_FRAME flag is set a predefined CAN frame is\nsent when a specific RTR frame is received. Therefore the rx bcm_op uses\nbcm_can_tx() which uses the bcm_tx_lock that was only initialized in\nbcm_tx_setup(). Add the missing spin_lock_init() when allocating the\nbcm_op in bcm_rx_setup() to handle the RTR case properly."}], "id": "CVE-2026-23362", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:35.220", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/70e951afad4c025261fe3c952d2b07237e320a01"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/800f26f11ae37b17f58e0001f28a47dd75c26557"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8215ba7bc99e84e66fd6938874ec4330a9d96518"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8bcf2d847adb82b2c617456f6da17ac5e6c75285"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c35636e91e392e1540949bbc67932167cb48bc3a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f0c349b2c21b220af5ba19f29b885e222958d796"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: can: bcm: fix locking for bcm_op runtime updates", "id": "2451256", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451256"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-909", "details": ["A flaw was found in the Linux kernel's Controller Area Network (CAN) Broadcast Manager (BCM) module. When the RX_RTR_FRAME flag is set and a specific Remote Transmission Request (RTR) frame is received, the bcm_tx_lock was not properly initialized in the bcm_rx_setup() function. This missing initialization of the lock could lead to a race condition, potentially allowing a local attacker to cause a Denial of Service (DoS) by triggering system instability."], "name": "CVE-2026-23362", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23362\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23362\nhttps://lore.kernel.org/linux-cve-announce/2026032539-CVE-2026-23362-40bd@gregkh/T"], "statement": "This flaw affects systems using CAN bus with the BCM (Broadcast Manager) socket. The missing spin_lock_init() for bcm_tx_lock in bcm_rx_setup() causes issues when RX_RTR_FRAME is used, as bcm_can_tx() accesses the uninitialized lock. Requires CAN interface and BCM socket usage with RTR frames.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T12:25:56.179458+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the patch committing the missing spin lock, such as the merge from commit c2aba69d0c36", "Verify the kernel change by inspecting vendor release notes or the commit logs referenced in the advisory"], "summary": {"action": "Update Kernel", "impact": "Race Condition in BCM driver"}, "threat_synthesis": {"affected_systems": "The flaw resides in the Linux kernel\u2019s bcm driver. According to the provided CPE string and vendor list, any kernel build that includes the bcm module but does not contain the commit adding the missing lock may be affected. No specific kernel versions are listed, implying that pre\u2011patch kernels are potentially vulnerable across all distributions that ship an unmodified bcm module.", "description_and_impact": "During runtime updates of the BCM (Broadcom Controller Area Network) driver, a missing spin lock was not initialized. Based on the description, it is inferred that this oversight allows concurrent modifications to bcm_op structures while the driver handles CAN messages, potentially leading to data corruption or a crash of the kernel module. The weakness is a classic improper synchronization issue, often classified as CWE\u2011362.", "risk_and_exploitability": "The CVSS score is not provided and the EPSS score is unavailable, so quantitative severity cannot be determined from the supplied data. The vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation at this time. Based on the description, it is inferred that to exploit the race condition a local or privileged attacker must be able to influence CAN traffic or trigger the bcm_op runtime update path. Remote exploitation would require control over a CAN interface used by the target system. Because the issue involves a kernel lock, successful exploitation could lead to a denial of service or stability problems within the CAN subsystem."}}}}, "created": "2026-03-25T21:31:53.796088+00:00", "title": "Missing Lock in Linux BCM Driver Causes Race Condition", "updated": "2026-03-25T21:31:53.796115+00:00", "vendors": [], "weaknesses": ["CWE-362"]}