Description
In the Linux kernel, the following vulnerability has been resolved:

can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak

Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").

In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are
allocated, added to the priv->rx_submitted anchor and submitted. In the
complete callback mcba_usb_read_bulk_callback(), the URBs are processed and
resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by
calling usb_kill_anchored_urbs(&priv->rx_submitted).

However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().

Fix the memory leak by anchoring the URB in the
mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor.
Published: 2026-02-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: memory exhaustion leading to possible denial of service via memory leak
Action: Monitor
AI Analysis

Impact

The vulnerability is a memory‑allocation fault in the Linux CAN MACB USB driver. When a USB inbound transfer completes, the USB framework unanchors the endpoint request block (URB) before the driver’s complete callback processes it. The callback then attempts to free the URB via usb_kill_anchored_urbs, which only releases anchored URBs. Because the URB had already been unanchored, it is never freed, and each completed transfer leaves an orphaned object in kernel memory. Accumulation of such stray URBs can exhaust kernel memory and lead to a denial‑of‑service condition. This is a classic memory‑leak weakness identified by CWE‑401.

Affected Systems

The flaw affects all Linux kernel releases that ship the mcba_usb subsystem and that have not yet incorporated the anchoring fix. The relevant CPE entries include the generic linux:linux_kernel family as well as the 6.19 release candidates (rc1 through rc6). Users should verify that their running kernel version appears in those CPE listings and the change is not yet applied.

Risk and Exploitability

The CVSS score of 5.5 categorises the issue as moderate severity, while the EPSS score of less than 1 % indicates a very low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. Exploitation would require an attacker to generate sustained USB traffic through a MACB CAN device that is in use. The need for persistent traffic from a device attached to the compromised host is inferred from the description; no remote code execution or privilege escalation is described.

Generated by OpenCVE AI on April 18, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel patch that anchors URBs in the read bulk callback, thereby eliminating the memory leak, as the referenced commits describe.
  • If an immediate patch is unavailable, consider disabling the mcba_usb driver or limiting USB traffic to the MACB CAN interface until the fix can be applied.
  • Implement strict device filtering or authentication for USB devices that can drive the MACB CAN interface to reduce the risk of accidental or malicious traffic.

Generated by OpenCVE AI on April 18, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4475-1 linux security update
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8162-1 Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8186-1 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8187-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8188-1 Linux kernel (HWE) vulnerabilities
History

Wed, 18 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Fri, 06 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
References

Thu, 05 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback mcba_usb_read_bulk_callback(), the URBs are processed and resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor.
Title can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:38:19.968Z

Reserved: 2026-01-13T15:37:45.959Z

Link: CVE-2026-23080

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T17:16:18.750

Modified: 2026-03-18T13:48:13.997

Link: CVE-2026-23080

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23080 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:00:02Z

Weaknesses