LiveActive security incident?Get immediate response
CVE Record

CVE-2021-4454: can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate

In the Linux kernel, the following vulnerability has been resolved: can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate The conclusion "j1939_session_deactivate() should be called with a session ref-count of at least 2" is incorrect. In some concurrent scenarios, j1939_session_deactivate can be called with the session ref-count less than 2. But there is not any problem because it will check the session active state before session putting in j1939_session_deactivate_locked(). Here is the concurrent scenario of the problem reported by syzbot and my reproduction log. cpu0 cpu1 j1939_xtp_rx_eoma j1939_xtp_rx_abort_one j1939_session_get_by_addr [kref == 2] j1939_session_get_by_addr [kref == 3] j1939_session_deactivate [kref == 2] j1939_session_put [kref == 1] j1939_session_completed j1939_session_deactivate WARN_ON_ONCE(kref < 2) ===================================================== WARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70 CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 RIP: 0010:j1939_session_deactivate+0x5f/0x70 Call Trace: j1939_session_deactivate_activate_next+0x11/0x28 j1939_xtp_rx_eoma+0x12a/0x180 j1939_tp_recv+0x4a2/0x510 j1939_can_recv+0x226/0x380 can_rcv_filter+0xf8/0x220 can_receive+0x102/0x220 ? process_backlog+0xf0/0x2c0 can_rcv+0x53/0xf0 __netif_receive_skb_one_core+0x67/0x90 ? process_backlog+0x97/0x2c0 __netif_receive_skb+0x22/0x80

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel issue in the CAN J1939 networking code. A race can trigger a kernel warning because the code made an incorrect reference-count assumption. The source does not show data theft, privilege escalation, or confirmed real-world exploitation.

Executive priority

Treat this as routine kernel maintenance unless your environment uses CAN J1939 in production or safety-sensitive operations. There is no cited evidence of exploitation, but affected kernels should still be updated through normal change windows.

Technical view

The flaw involves j1939_session_deactivate() in net/can/j1939/transport.c. Concurrent J1939 transport handling can call the function with a lower session kref than expected, triggering WARN_ON_ONCE even though the later active-state check makes the condition non-fatal in the described scenario.

Likely exposure

Exposure is limited to Linux systems using the kernel CAN J1939 stack. The bundle lists Linux as affected, including 5.14 and several stable-version ranges, but does not provide CPEs or distribution-specific package mapping.

Exploitation context

No active exploitation is supported by the provided sources. The CVE is not marked KEV, and the description comes from a syzbot/reproduction concurrency warning rather than a public attack report.

Researcher notes

The source describes a concurrency/refcount warning path, not a demonstrated memory corruption primitive. The affected-version metadata is sparse and partly commit-based, so validation should rely on vendor kernel backport status or presence of the stable commits.

Mitigation direction

  • Check your Linux vendor advisory for the fixed kernel build.
  • Upgrade to a kernel containing the referenced stable fixes.
  • Prioritize systems that enable or depend on CAN J1939 networking.
  • If immediate upgrade is impossible, reduce exposure to CAN/J1939 interfaces where operationally safe.

Validation and detection

  • Inventory running kernel versions on systems using CAN J1939.
  • Confirm whether the referenced stable commits are present in deployed kernels.
  • Review kernel logs for WARN_ON_ONCE reports in j1939_session_deactivate.
  • Map distribution packages to the CVE record before declaring remediation complete.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-4454 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
6Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux7eef18c0479ba5d9f54fba30cd77c233ebca3eb1, 55dd22c5d029423f513fd849e633adf0e9c10d0c, 0c71437dd50dd687c15d8ca80b3b68f10bb21d63, 0c71437dd50dd687c15d8ca80b3b68f10bb21d63, 0c71437dd50dd687c15d8ca80b3b68f10bb21d63, 5e1fc537c1be332aef9621ca9146aeb3ba59522f, 5.4.138, 5.10.56, 5.13.8unaffected
LinuxLinux5.14, 0, 5.4.232, 5.10.168, 5.15.93, 6.1.11, 6.2affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.