Description
In the Linux kernel, the following vulnerability has been resolved:

can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak

Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").

In ems_usb_open(), the URBs for USB-in transfers are allocated, added to
the dev->rx_submitted anchor and submitted. In the complete callback
ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
ems_usb_close() the URBs are freed by calling
usb_kill_anchored_urbs(&dev->rx_submitted).

However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in ems_usb_close().

Fix the memory leak by anchoring the URB in the
ems_usb_read_bulk_callback() to the dev->rx_submitted anchor.
Published: 2026-02-04
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Leak – Potential Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The Linux kernel eMS USB driver suffers a memory leak in the URB completion callback. When an inbound USB transfer completes, the URB is unanchored by the USB subsystem before the driver’s callback is invoked, so the URB is never freed unless the device is closed. The unreleased memory accumulates with each transfer, allowing a sustained leak that can exhaust kernel memory and degrade system responsiveness. The flaw maps to CWE‑401, a missing release of memory after its effective lifetime.

Affected Systems

Any system running a Linux kernel that includes the eMS USB driver is potentially affected, regardless of distribution. The advisory does not specify a version range; only kernels that contain the unpatched code before the reference commit are at risk. Updated kernels that contain the fix commit are not vulnerable.

Risk and Exploitability

The CVSS score of 7.0 marks this issue as high severity. The EPSS score of less than 1% indicates that, at present, exploitation is unlikely outside of a targeted attack. Based on the description, the likely attack vector is local or physical access to the affected machine to attach a malicious or traffic‑heavy USB device that repeatedly triggers the callback. The vulnerability does not appear in the CISA KEV list. A successful exploitation could force the system into a memory‑starved state, effectively denying service.

Generated by OpenCVE AI on April 18, 2026 at 18:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the commit that anchors URBs in the callback (the reference patch is in the publicly available commit list).
  • If a kernel update is not immediately available, disable the eMS USB device or restrict USB access sufficient to prevent the driver from loading into the system.
  • After applying a patch or disabling the driver, monitor kernel memory usage and overall system stability to ensure the memory leak has been mitigated.

Generated by OpenCVE AI on April 18, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4475-1 linux security update
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8162-1 Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8186-1 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8187-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8188-1 Linux kernel (HWE) vulnerabilities
History

Sat, 18 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Fri, 06 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
References

Thu, 05 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In ems_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In ems_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in ems_usb_close(). Fix the memory leak by anchoring the URB in the ems_usb_read_bulk_callback() to the dev->rx_submitted anchor.
Title can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:37:56.573Z

Reserved: 2026-01-13T15:37:45.952Z

Link: CVE-2026-23058

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-02-04T17:16:16.480

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23058

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23058 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:45:05Z

Weaknesses