CVE-2026-23357 PUBLISHED

can: mcp251x: fix deadlock in error path of mcp251x_open

Assigner: Linux
Reserved: 13.01.2026 Published: 25.03.2026 Updated: 25.03.2026

In the Linux kernel, the following vulnerability has been resolved:

can: mcp251x: fix deadlock in error path of mcp251x_open

The mcp251x_open() function call free_irq() in its error path with the mpc_lock mutex held. But if an interrupt already occurred the interrupt handler will be waiting for the mpc_lock and free_irq() will deadlock waiting for the handler to finish.

This issue is similar to the one fixed in commit 7dd9c26bd6cf ("can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open") but for the error path.

To solve this issue move the call to free_irq() after the lock is released. Setting priv->force_quit = 1 beforehand ensure that the IRQ handler will exit right away once it acquired the lock.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from bf66f3736a945dd4e92d86427276c6eeab0a6c1d to 256f0cff6e946c570392bda1d01a65e789a7afd0 (excl.)
  • affected from bf66f3736a945dd4e92d86427276c6eeab0a6c1d to b73832292cd914e87a55e863ba4413a907e7db6b (excl.)
  • affected from bf66f3736a945dd4e92d86427276c6eeab0a6c1d to 38063cc435b69d56e76f947c10d336fcb2953508 (excl.)
  • affected from bf66f3736a945dd4e92d86427276c6eeab0a6c1d to d27f12c3f5e85efc479896af4a69eccb37f75e8e (excl.)
  • affected from bf66f3736a945dd4e92d86427276c6eeab0a6c1d to e728f444c913a91d290d1824b4770780bbd6378e (excl.)
  • affected from bf66f3736a945dd4e92d86427276c6eeab0a6c1d to ab3f894de216f4a62adc3b57e9191888cbf26885 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 2.6.34 is affected
  • unaffected from 0 to 2.6.34 (excl.)
  • unaffected from 6.1.167 to 6.1.* (incl.)
  • unaffected from 6.6.130 to 6.6.* (incl.)
  • unaffected from 6.12.77 to 6.12.* (incl.)
  • unaffected from 6.18.17 to 6.18.* (incl.)
  • unaffected from 6.19.7 to 6.19.* (incl.)
  • unaffected from 7.0-rc3 to * (incl.)

References