CVE-2021-4454: can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate
The conclusion "j1939_session_deactivate() should be called with a
session ref-count of at least 2" is incorrect. In some concurrent
scenarios, j1939_session_deactivate can be called with the session
ref-count less than 2. But there is not any problem because it
will check the session active state before session putting in
j1939_session_deactivate_locked().
Here is the concurrent scenario of the problem reported by syzbot
and my reproduction log.
cpu0 cpu1
j1939_xtp_rx_eoma
j1939_xtp_rx_abort_one
j1939_session_get_by_addr [kref == 2]
j1939_session_get_by_addr [kref == 3]
j1939_session_deactivate [kref == 2]
j1939_session_put [kref == 1]
j1939_session_completed
j1939_session_deactivate
WARN_ON_ONCE(kref < 2)
=====================================================
WARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70
CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
RIP: 0010:j1939_session_deactivate+0x5f/0x70
Call Trace:
j1939_session_deactivate_activate_next+0x11/0x28
j1939_xtp_rx_eoma+0x12a/0x180
j1939_tp_recv+0x4a2/0x510
j1939_can_recv+0x226/0x380
can_rcv_filter+0xf8/0x220
can_receive+0x102/0x220
? process_backlog+0xf0/0x2c0
can_rcv+0x53/0xf0
__netif_receive_skb_one_core+0x67/0x90
? process_backlog+0x97/0x2c0
__netif_receive_skb+0x22/0x80
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel issue in the CAN J1939 networking code. A race can trigger a kernel warning because the code made an incorrect reference-count assumption. The source does not show data theft, privilege escalation, or confirmed real-world exploitation.
Executive priority
Treat this as routine kernel maintenance unless your environment uses CAN J1939 in production or safety-sensitive operations. There is no cited evidence of exploitation, but affected kernels should still be updated through normal change windows.
Technical view
The flaw involves j1939_session_deactivate() in net/can/j1939/transport.c. Concurrent J1939 transport handling can call the function with a lower session kref than expected, triggering WARN_ON_ONCE even though the later active-state check makes the condition non-fatal in the described scenario.
Likely exposure
Exposure is limited to Linux systems using the kernel CAN J1939 stack. The bundle lists Linux as affected, including 5.14 and several stable-version ranges, but does not provide CPEs or distribution-specific package mapping.
Exploitation context
No active exploitation is supported by the provided sources. The CVE is not marked KEV, and the description comes from a syzbot/reproduction concurrency warning rather than a public attack report.
Researcher notes
The source describes a concurrency/refcount warning path, not a demonstrated memory corruption primitive. The affected-version metadata is sparse and partly commit-based, so validation should rely on vendor kernel backport status or presence of the stable commits.
Mitigation direction
Check your Linux vendor advisory for the fixed kernel build.
Upgrade to a kernel containing the referenced stable fixes.
Prioritize systems that enable or depend on CAN J1939 networking.
If immediate upgrade is impossible, reduce exposure to CAN/J1939 interfaces where operationally safe.
Validation and detection
Inventory running kernel versions on systems using CAN J1939.
Confirm whether the referenced stable commits are present in deployed kernels.
Review kernel logs for WARN_ON_ONCE reports in j1939_session_deactivate.
Map distribution packages to the CVE record before declaring remediation complete.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-4454 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
6Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Mar 27, 2025, 16:37 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.