CVE-2026-23061 - Vulnerability Details

- can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak

Description

In the Linux kernel, the following vulnerability has been resolved:

can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak

Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").

In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the
URBs for USB-in transfers are allocated, added to the dev->rx_submitted
anchor and submitted. In the complete callback
kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
kvaser_usb_remove_interfaces() the URBs are freed by calling
usb_kill_anchored_urbs(&dev->rx_submitted).

However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().

Fix the memory leak by anchoring the URB in the
kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor.

Published: 2026-02-04

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the Linux kernel’s kvaser_usb driver allows unanchored USB Request Blocks (URBs) to persist after completion, causing a memory leak. Over time this leak can consume kernel memory, potentially leading to resource exhaustion and a crash or degraded system performance. The flaw is a classic memory management weakness (CWE‑401).

Affected Systems

All Linux kernel versions that include the kvaser_usb driver are affected, including the 6.19 release candidates cited in the CPE entries. The issue exists in any kernel that ships the unpatched code, regardless of the specific patch level beyond the ones listed.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium risk, but the EPSS score of less than 1% suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Inferred attack scenarios involve a malicious or improperly configured USB CAN device that repeatedly triggers high‑frequency transfers, creating the circumstances for the URB memory leak. The attack requires physical or remote control over a USB subsystem that loads the kvaser_usb driver, and it can result in a denial of service rather than code execution or privilege escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`080f40a6fa28dab299da7a652e444b1e2d9231e7`	affected	< d9d824582f2ec76459ffab449e9b05c7bc49645c
`080f40a6fa28dab299da7a652e444b1e2d9231e7`	affected	< 40a3334ffda479c63e416e61ff086485e24401f7
`080f40a6fa28dab299da7a652e444b1e2d9231e7`	affected	< c1b39fa24c140bc616f51fef4175c1743e2bb132
`080f40a6fa28dab299da7a652e444b1e2d9231e7`	affected	< 7c308f7530bffafa994e0aa8dc651a312f4b9ff4
`080f40a6fa28dab299da7a652e444b1e2d9231e7`	affected	< 94a7fc42e21c7d9d1c49778cd1db52de5df52a01
`080f40a6fa28dab299da7a652e444b1e2d9231e7`	affected	< 3b1a593eab941c3f32417896cc7df564191f2482
`080f40a6fa28dab299da7a652e444b1e2d9231e7`	affected	< 248e8e1a125fa875158df521b30f2cc7e27eeeaa

Linux

affected

Version	Status	Constraints
`3.8`	affected	—
`0`	unaffected	< 3.8
`5.10.249`	unaffected	≤ 5.10.*
`5.15.199`	unaffected	≤ 5.15.*
`6.1.162`	unaffected	≤ 6.1.*
`6.6.122`	unaffected	≤ 6.6.*
`6.12.68`	unaffected	≤ 6.12.*
`6.18.8`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the committed fix for the kvaser_usb memory leak (kernel version newer than the 6.19 release candidates before the patch).
If an upgrade is not immediately possible, unload the kvaser_usb driver or prevent it from binding to untrusted USB CAN devices to stop further URB creation.
Regularly monitor kernel memory usage and system logs for signs of excessive URB allocation, and consider disabling high‑traffic USB deployments until a patch is available.

Generated by OpenCVE AI on April 17, 2026 at 23:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4475-1	linux security update
Debian DLA	DLA-4476-1	linux-6.1 security update
Debian DSA	DSA-6126-1	linux security update
Debian DSA	DSA-6127-1	linux security update
Ubuntu USN	USN-8162-1	Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN	USN-8180-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8180-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8186-1	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8187-1	Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN	USN-8188-1	Linux kernel (HWE) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/248e8e1a125fa875158df521b30f2cc7e27eeeaa
https://git.kernel.org/stable/c/3b1a593eab941c3f32417896cc7df564191f2482
https://git.kernel.org/stable/c/40a3334ffda479c63e416e61ff086485e24401f7
https://git.kernel.org/stable/c/7c308f7530bffafa994e0aa8dc651a312f4b9ff4
https://git.kernel.org/stable/c/94a7fc42e21c7d9d1c49778cd1db52de5df52a01
https://git.kernel.org/stable/c/c1b39fa24c140bc616f51fef4175c1743e2bb132
https://git.kernel.org/stable/c/d9d824582f2ec76459ffab449e9b05c7bc49645c
https://lore.kernel.org/linux-cve-announce/2026020415-CVE-2026-23061-31be@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23061
https://www.cve.org/CVERecord?id=CVE-2026-23061

History

Fri, 13 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401
CPEs		cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 06 Feb 2026 16:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/40a3334ffda479c63e416e61ff086485e24401f7 https://git.kernel.org/stable/c/c1b39fa24c140bc616f51fef4175c1743e2bb132 https://git.kernel.org/stable/c/d9d824582f2ec76459ffab449e9b05c7bc49645c

Thu, 05 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026020415-CVE-2026-23061-31be@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23061 https://www.cve.org/CVERecord?id=CVE-2026-23061
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Wed, 04 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In kvaser_usb_remove_interfaces() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor.
Title		can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/248e8e1a125fa875158df521b30f2cc7e27eeeaa https://git.kernel.org/stable/c/3b1a593eab941c3f32417896cc7df564191f2482 https://git.kernel.org/stable/c/7c308f7530bffafa994e0aa8dc651a312f4b9ff4 https://git.kernel.org/stable/c/94a7fc42e21c7d9d1c49778cd1db52de5df52a01

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-02-04T16:07:43.626Z

Updated: 2026-02-09T08:37:59.685Z

Reserved: 2026-01-13T15:37:45.952Z

Link: CVE-2026-23061

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-02-04T17:16:16.787

Modified: 2026-03-13T21:28:28.673

Link: CVE-2026-23061

Redhat

Severity : Important

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23061 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T23:45:25Z

Weaknesses

CWE-401

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object