CVE-2021-46994: can: mcp251x: fix resume from sleep before interface was brought up
In the Linux kernel, the following vulnerability has been resolved:
can: mcp251x: fix resume from sleep before interface was brought up
Since 8ce8c0abcba3 the driver queues work via priv->restart_work when
resuming after suspend, even when the interface was not previously
enabled. This causes a null dereference error as the workqueue is only
allocated and initialized in mcp251x_open().
To fix this we move the workqueue init to mcp251x_can_probe() as there
is no reason to do it later and repeat it whenever mcp251x_open() is
called.
[mkl: fix error handling in mcp251x_stop()]
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue can crash systems using the MCP251x CAN controller driver during resume from sleep when the network interface was never opened. The business risk is mainly availability for embedded, industrial, automotive, or IoT systems relying on CAN hardware. Sources do not show data theft, privilege escalation, or active exploitation.
Executive priority
Handle through normal kernel maintenance unless the organization operates CAN-enabled Linux devices where sleep/resume failures could disrupt production or safety-adjacent workflows. For those environments, prioritize validation and kernel updates with operations teams.
Technical view
The mcp251x CAN driver queued priv->restart_work during resume after commit 8ce8c0abcba3, even when mcp251x_open() had not allocated or initialized the workqueue. That can trigger a null pointer dereference. The fix moves workqueue initialization to mcp251x_can_probe() and adjusts stop-path error handling.
Likely exposure
Exposure appears limited to Linux systems using the mcp251x CAN driver with affected kernel code. General servers without MCP251x CAN hardware or this driver path are unlikely to be exposed. Higher concern applies to embedded and operational systems where suspend/resume and CAN availability matter.
Exploitation context
The source bundle does not identify a remote attack path, public exploitation, or KEV listing. Triggering depends on the affected driver state around suspend and resume, so practical risk depends on deployed hardware, driver use, and power-management behavior.
Researcher notes
CVE data ties the regression to Linux commit 8ce8c0abcba3 and stable fixes including eecb4df8, 6f8f1c27, e1e10a39, and 03c42714. No CVSS, CWE, exploit status, or broader impact evidence is provided in the bundle.
Mitigation direction
Update to a vendor-supported kernel containing the referenced mcp251x stable fixes.
Prioritize CAN-enabled embedded or industrial hosts that use MCP251x hardware and suspend/resume.
Where patching is delayed, check vendor guidance for safe operational workarounds.
Avoid deploying affected kernel builds on systems requiring high CAN availability.
Validation and detection
Inventory Linux systems with MCP251x CAN controllers or the mcp251x driver enabled.
Check kernel versions and vendor changelogs for the referenced stable fix commits.
Review suspend/resume logs for null dereference or mcp251x restart_work failures.
Confirm updated kernels resume cleanly across relevant CAN interface states.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-46994 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.