CVE-2020-36789: can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context
In the Linux kernel, the following vulnerability has been resolved:
can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context
If a driver calls can_get_echo_skb() during a hardware IRQ (which is often, but
not always, the case), the 'WARN_ON(in_irq)' in
net/core/skbuff.c#skb_release_head_state() might be triggered, under network
congestion circumstances, together with the potential risk of a NULL pointer
dereference.
The root cause of this issue is the call to kfree_skb() instead of
dev_kfree_skb_irq() in net/core/dev.c#enqueue_to_backlog().
This patch prevents the skb to be freed within the call to netif_rx() by
incrementing its reference count with skb_get(). The skb is finally freed by
one of the in-irq-context safe functions: dev_consume_skb_any() or
dev_kfree_skb_any(). The "any" version is used because some drivers might call
can_get_echo_skb() in a normal context.
The reason for this issue to occur is that initially, in the core network
stack, loopback skb were not supposed to be received in hardware IRQ context.
The CAN stack is an exeption.
This bug was previously reported back in 2017 in [1] but the proposed patch
never got accepted.
While [1] directly modifies net/core/dev.c, we try to propose here a
smoother modification local to CAN network stack (the assumption
behind is that only CAN devices are affected by this issue).
[1] http://lore.kernel.org/r/57a3ffb6-3309-3ad5-5a34-e93c3fe3614d@cetitec.com
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel availability bug in the CAN networking stack. Under congestion, some CAN drivers calling echo handling from hardware interrupt context can trigger a kernel warning and potentially a NULL pointer dereference, causing service disruption. It requires local access and is not listed as actively exploited.
Executive priority
Treat as a moderate availability risk. Patch promptly where Linux CAN is operationally important, especially in embedded or industrial environments. For ordinary servers without CAN use, handle through normal kernel update cycles.
Technical view
can_get_echo_skb() could indirectly free an skb with kfree_skb() in hard IRQ context via netif_rx()/enqueue_to_backlog(). The fix keeps the skb referenced and later frees it with IRQ-safe helpers such as dev_consume_skb_any() or dev_kfree_skb_any(). CWE-476 applies.
Likely exposure
Exposure is most relevant to Linux systems using CAN network devices or drivers, especially embedded, automotive, industrial, or lab systems. General Linux servers without CAN interfaces are less likely to be exposed based on the source description.
Exploitation context
The CVSS vector is local, low complexity, low privileges, no user interaction, with high availability impact. The bundle does not cite public exploitation, weaponized proof-of-concept activity, or CISA KEV listing.
Researcher notes
The public source states the issue is local to the CAN stack assumption and arose because loopback skbs were not expected in hardware IRQ context. Evidence is incomplete on exploitability beyond denial of service, and no active exploitation is cited.
Mitigation direction
Apply vendor kernel updates containing the referenced Linux stable fixes.
Prioritize CAN-enabled embedded, industrial, automotive, and test systems.
Check distribution advisories for fixed kernel package versions.
Avoid direct wrangler or unrelated deployment actions; this is kernel maintenance.
Track unsupported kernels for upgrade or vendor backport decisions.
Validation and detection
Inventory Linux hosts and identify systems with CAN hardware or CAN drivers enabled.
Compare running kernel builds against vendor fixed versions or referenced stable commits.
Review kernel logs for CAN-related WARN_ON(in_irq) or NULL dereference symptoms.
Confirm patched hosts boot the updated kernel, not only install the package.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-476: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-476 · source CWE mapping
NULL Pointer Dereference
NULL Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.