CVE-2026-23362

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel’s CAN (Controller Area Network) subsystem, specifically within the Broadcom CAN (bcm) driver. A missing spinlock initialization in the bcm rx setup() function when allocating the bcm op structure can lead to issues when handling Remote Transmission Request (RTR) frames. The vulnerability occurs because the bcm tx lock is only initialized in bcm tx setup(), but the RX setup also uses bcm can tx() in the case of receiving an RTR frame. This can cause problems when updating the sending bcm op with a new TX SETUP command. The commit c2aba69d0c36 aimed to add locking for runtime updates but did not fully address the initialization issue in the RX path. The vulnerable code is related to the bcm rx setup() and bcm tx setup() functions.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.