LiveActive security incident?Get immediate response
CVE Record

CVE-2021-46994: can: mcp251x: fix resume from sleep before interface was brought up

In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix resume from sleep before interface was brought up Since 8ce8c0abcba3 the driver queues work via priv->restart_work when resuming after suspend, even when the interface was not previously enabled. This causes a null dereference error as the workqueue is only allocated and initialized in mcp251x_open(). To fix this we move the workqueue init to mcp251x_can_probe() as there is no reason to do it later and repeat it whenever mcp251x_open() is called. [mkl: fix error handling in mcp251x_stop()]

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

This Linux kernel issue can crash systems using the MCP251x CAN controller driver during resume from sleep when the network interface was never opened. The business risk is mainly availability for embedded, industrial, automotive, or IoT systems relying on CAN hardware. Sources do not show data theft, privilege escalation, or active exploitation.

Executive priority

Handle through normal kernel maintenance unless the organization operates CAN-enabled Linux devices where sleep/resume failures could disrupt production or safety-adjacent workflows. For those environments, prioritize validation and kernel updates with operations teams.

Technical view

The mcp251x CAN driver queued priv->restart_work during resume after commit 8ce8c0abcba3, even when mcp251x_open() had not allocated or initialized the workqueue. That can trigger a null pointer dereference. The fix moves workqueue initialization to mcp251x_can_probe() and adjusts stop-path error handling.

Likely exposure

Exposure appears limited to Linux systems using the mcp251x CAN driver with affected kernel code. General servers without MCP251x CAN hardware or this driver path are unlikely to be exposed. Higher concern applies to embedded and operational systems where suspend/resume and CAN availability matter.

Exploitation context

The source bundle does not identify a remote attack path, public exploitation, or KEV listing. Triggering depends on the affected driver state around suspend and resume, so practical risk depends on deployed hardware, driver use, and power-management behavior.

Researcher notes

CVE data ties the regression to Linux commit 8ce8c0abcba3 and stable fixes including eecb4df8, 6f8f1c27, e1e10a39, and 03c42714. No CVSS, CWE, exploit status, or broader impact evidence is provided in the bundle.

Mitigation direction

  • Update to a vendor-supported kernel containing the referenced mcp251x stable fixes.
  • Prioritize CAN-enabled embedded or industrial hosts that use MCP251x hardware and suspend/resume.
  • Where patching is delayed, check vendor guidance for safe operational workarounds.
  • Avoid deploying affected kernel builds on systems requiring high CAN availability.

Validation and detection

  • Inventory Linux systems with MCP251x CAN controllers or the mcp251x driver enabled.
  • Check kernel versions and vendor changelogs for the referenced stable fix commits.
  • Review suspend/resume logs for null dereference or mcp251x restart_work failures.
  • Confirm updated kernels resume cleanly across relevant CAN interface states.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-46994 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
5Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux8ce8c0abcba314e1fe954a1840f6568bf5aef2ef, 8ce8c0abcba314e1fe954a1840f6568bf5aef2ef, 8ce8c0abcba314e1fe954a1840f6568bf5aef2ef, 8ce8c0abcba314e1fe954a1840f6568bf5aef2efunaffected
LinuxLinux5.5, 0, 5.10.38, 5.11.22, 5.12.5, 5.13affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.