{
"title": "One Missing Spinlock in Linux CAN BCM Can Crash Kernels: Patch Now to Protect WSL and Industrial Gear",
"content": "On March 25, 2026, the National Vulnerability Database assigned CVE-2026-23362 to a lock initialization flaw in the Linux kernel’s CAN Broadcast Manager. The bug, triggered by a missing spinlockinit() call, can crash or destabilize any system that processes specific CAN frames—including Windows machines running WSL 2, Azure Linux VMs, and countless embedded devices. While the CVSS 3.1 score is a moderate 5.5 (Medium), the fix demands attention because it sits at the intersection of Windows, Linux, and the physical world of automotive and industrial control.
A One-Line Fix with Ripple Effects
The defect lives in net/can/bcm.c. When the kernel sets up a receive-side Broadcast Manager operation via bcmrxsetup(), it allocates a struct bcmop. If that operation is configured to respond to Remote Transmission Request (RTR) frames—a CAN protocol feature that requests another node to transmit data—it may eventually call bcmcantx(), the transmit helper. The problem: bcmtxlock, a spinlock that serializes transmit-side updates, was never initialized in the receive path. It was only initialized in the transmit setup path (bcmtxsetup()). Consequently, when an RTR response fires, the kernel dereferences an uninitialized lock, leading to warnings, deadlocks, or outright crashes.
The fix, as committed to the kernel.org tree, adds exactly one line: spinlockinit(&op->bcmtxlock); inside bcmrxsetup(). It’s a textbook synchronization oversight—and a testament to how a legacy protocol feature can sidestep mental models. Syzbot, the kernel’s automated fuzzing service, reported the issue, and the patch was quickly backported to affected stable trees: 5.4, 5.10, 5.15, 6.1, 6.6, 6.12, 6.14, 6.15, 6.18, 6.19, and the 7.0 release candidates.
Who Should Worry (and Who Can Relax)
Everyday Windows users: Unless you’re tinkering with CAN hardware—USB adapters from PEAK or Kvaser, for instance—you are unlikely to encounter this bug. Your WSL instance, if you have one, runs a kernel that receives updates through Windows Update. If you haven’t touched /dev/can*, you’re safe.
WSL developers with CAN hardware: If you pass a USB CAN adapter through to WSL 2 (using usbipd or similar), you’re directly exposed. Update your WSL kernel immediately with wsl --update from an elevated PowerShell prompt, then verify with wsl uname -r. As of this writing, Microsoft has not yet released a kernel containing the fix, but it will arrive in a future WSL kernel rollup. Until then, consider disconnecting CAN hardware or blacklisting the canbcm module inside your WSL distribution.
IT administrators and cloud operators: Azure Linux VMs typically lack physical CAN interfaces, so the risk appears negligible. But kernel CVEs still flow through vulnerability scanners and compliance frameworks. Your real concern is edge devices, IoT gateways, and industrial PCs that run Linux and are managed by your team. Check lsmod | grep can on every Linux host in your fleet. If can_bcm appears, assess whether its use is legitimate. If not, disable it and apply the vendor kernel update during your next maintenance window.
Embedded and automotive engineers: This is your bread and butter. Your test rigs, diagnostic tools, and in-vehicle controllers likely run kernels that haven’t seen an update in years. A kernel crash during a production test could corrupt data, damage equipment, or delay projects. Coordinate with your BSP (Board Support Package) vendor to obtain a patched kernel image. In the interim, restrict local access to CAN sockets, and disable RTR-based responses if your application can tolerate it.
The Patch Timeline
The vulnerability followed a swift disclosure cycle by kernel standards:
- Early March 2026 – syzbot detects a lockdep warning in the CAN BCM path and reports it to the netdev mailing list.
- Mid-March – A fix is developed and tested; maintainers merge it into net-next.
- March 25, 2026 – CVE-2026-23362 is reserved and published by kernel.org; NVD receives the initial report.
- April 18, 2026 – kernel.org adds backport references to stable branches.
- April 24, 2026 – NVD completes its analysis, assigning CVSS 3.1 score, CWE-667, and CPE configurations.