LiveActive security incident?Get immediate response
CVE Record

CVE-2020-36789: can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context

In the Linux kernel, the following vulnerability has been resolved: can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context If a driver calls can_get_echo_skb() during a hardware IRQ (which is often, but not always, the case), the 'WARN_ON(in_irq)' in net/core/skbuff.c#skb_release_head_state() might be triggered, under network congestion circumstances, together with the potential risk of a NULL pointer dereference. The root cause of this issue is the call to kfree_skb() instead of dev_kfree_skb_irq() in net/core/dev.c#enqueue_to_backlog(). This patch prevents the skb to be freed within the call to netif_rx() by incrementing its reference count with skb_get(). The skb is finally freed by one of the in-irq-context safe functions: dev_consume_skb_any() or dev_kfree_skb_any(). The "any" version is used because some drivers might call can_get_echo_skb() in a normal context. The reason for this issue to occur is that initially, in the core network stack, loopback skb were not supposed to be received in hardware IRQ context. The CAN stack is an exeption. This bug was previously reported back in 2017 in [1] but the proposed patch never got accepted. While [1] directly modifies net/core/dev.c, we try to propose here a smoother modification local to CAN network stack (the assumption behind is that only CAN devices are affected by this issue). [1] http://lore.kernel.org/r/57a3ffb6-3309-3ad5-5a34-e93c3fe3614d@cetitec.com

MediumCVSS 5.5Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel availability bug in the CAN networking stack. Under congestion, some CAN drivers calling echo handling from hardware interrupt context can trigger a kernel warning and potentially a NULL pointer dereference, causing service disruption. It requires local access and is not listed as actively exploited.

Executive priority

Treat as a moderate availability risk. Patch promptly where Linux CAN is operationally important, especially in embedded or industrial environments. For ordinary servers without CAN use, handle through normal kernel update cycles.

Technical view

can_get_echo_skb() could indirectly free an skb with kfree_skb() in hard IRQ context via netif_rx()/enqueue_to_backlog(). The fix keeps the skb referenced and later frees it with IRQ-safe helpers such as dev_consume_skb_any() or dev_kfree_skb_any(). CWE-476 applies.

Likely exposure

Exposure is most relevant to Linux systems using CAN network devices or drivers, especially embedded, automotive, industrial, or lab systems. General Linux servers without CAN interfaces are less likely to be exposed based on the source description.

Exploitation context

The CVSS vector is local, low complexity, low privileges, no user interaction, with high availability impact. The bundle does not cite public exploitation, weaponized proof-of-concept activity, or CISA KEV listing.

Researcher notes

The public source states the issue is local to the CAN stack assumption and arose because loopback skbs were not expected in hardware IRQ context. Evidence is incomplete on exploitability beyond denial of service, and no active exploitation is cited.

Mitigation direction

  • Apply vendor kernel updates containing the referenced Linux stable fixes.
  • Prioritize CAN-enabled embedded, industrial, automotive, and test systems.
  • Check distribution advisories for fixed kernel package versions.
  • Avoid direct wrangler or unrelated deployment actions; this is kernel maintenance.
  • Track unsupported kernels for upgrade or vendor backport decisions.

Validation and detection

  • Inventory Linux hosts and identify systems with CAN hardware or CAN drivers enabled.
  • Compare running kernel builds against vendor fixed versions or referenced stable commits.
  • Review kernel logs for CAN-related WARN_ON(in_irq) or NULL dereference symptoms.
  • Confirm patched hosts boot the updated kernel, not only install the package.
Prepared
Confidence
high
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-476: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-36789 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
8Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.5CVSS 3.1MediumCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H1.83.6CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

5.5Medium
CVSS 3.1 vector shape for CVE-2020-36789Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux39549eef3587f1c1e8c65c88a2400d10fd30ea17, 39549eef3587f1c1e8c65c88a2400d10fd30ea17, 39549eef3587f1c1e8c65c88a2400d10fd30ea17, 39549eef3587f1c1e8c65c88a2400d10fd30ea17, 39549eef3587f1c1e8c65c88a2400d10fd30ea17, 39549eef3587f1c1e8c65c88a2400d10fd30ea17, 39549eef3587f1c1e8c65c88a2400d10fd30ea17unaffected
LinuxLinux2.6.31, 0, 4.4.244, 4.9.244, 4.14.207, 4.19.158, 5.4.78, 5.9.9, 5.10affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-476 · source CWE mapping

NULL Pointer Dereference

NULL Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.