Description
In the Linux kernel, the following vulnerability has been resolved:

can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak

In gs_can_open(), the URBs for USB-in transfers are allocated, added to the
parent->rx_submitted anchor and submitted. In the complete callback
gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In
gs_can_close() the URBs are freed by calling
usb_kill_anchored_urbs(parent->rx_submitted).

However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in gs_can_close().

Fix the memory leak by anchoring the URB in the
gs_usb_receive_bulk_callback() to the parent->rx_submitted anchor.
Published: 2026-01-31
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service from kernel memory exhaustion
Action: Upgrade Kernel
AI Analysis

Impact

The gs_usb driver manages CAN bus devices over USB. Its bulk‑transfer routine allocates URBs, submits them, and processes them in gs_usb_receive_bulk_callback. When a URB completes, the USB subsystem removes it from the anchored list before invoking the callback, but the callback then resubmits the URB without re‑anchoring it. The URB is therefore never freed by gs_can_close, leading to a memory leak that grows with each transfer. Over time this can exhaust kernel memory, causing out‑of‑memory situations and potentially destabilizing the operating system. This flaw is a resource‑management weakness (CWE‑401).

Affected Systems

All Linux kernel versions that embed the gs_usb CAN USB driver and have not incorporated the commit that re‑anchors pending URBs are affected. That includes mainline kernels and distributions that ship the unpatched gs_usb module. Any kernel before the fix remains vulnerable, regardless of distribution or patch level.

Risk and Exploitability

The CVSS score of 7.0 points to high severity, while the EPSS rank of less than 1 % indicates a low probability of exploitation. Exploitation requires the system to process repeated USB bulk transfers to a CAN device, which typically means the device must be physically connected or an attacker must have privileged access. There is no remote code execution or elevation of privilege path documented, so the attack vector is inferred to be local device‑based.

Generated by OpenCVE AI on April 18, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a release that contains the gs_usb URB anchoring patch.
  • If an upgrade cannot be performed immediately, unload or disable the gs_usb module or block USB CAN devices to stop the memory leak in action.
  • Continuously monitor kernel memory usage; if usage rises unexpectedly, restart the system or apply the kernel patch promptly.

Generated by OpenCVE AI on April 18, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8278-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8289-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8296-1 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8296-2 Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN Ubuntu USN USN-8278-2 Linux kernel (Azure) vulnerabilities
History

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
References

Sat, 18 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
CWE-401

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Fri, 06 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
References

Mon, 02 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Sat, 31 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak In gs_can_open(), the URBs for USB-in transfers are allocated, added to the parent->rx_submitted anchor and submitted. In the complete callback gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In gs_can_close() the URBs are freed by calling usb_kill_anchored_urbs(parent->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in gs_can_close(). Fix the memory leak by anchoring the URB in the gs_usb_receive_bulk_callback() to the parent->rx_submitted anchor.
Title can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-02T13:00:52.214Z

Reserved: 2026-01-13T15:37:45.942Z

Link: CVE-2026-23031

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-01-31T12:16:06.413

Modified: 2026-06-02T14:16:46.560

Link: CVE-2026-23031

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-31T00:00:00Z

Links: CVE-2026-23031 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:45:05Z

Weaknesses