CVE-2026-23082 - Vulnerability Details

- can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error

Description

In the Linux kernel, the following vulnerability has been resolved:

can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error

In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix
URB memory leak"), the URB was re-anchored before usb_submit_urb() in
gs_usb_receive_bulk_callback() to prevent a leak of this URB during
cleanup.

However, this patch did not take into account that usb_submit_urb() could
fail. The URB remains anchored and
usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops
infinitely since the anchor list never becomes empty.

To fix the bug, unanchor the URB when an usb_submit_urb() error occurs,
also print an info message.

Published: 2026-02-04

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises when the GS USB driver attempts to submit a USB Request Block (URB) and the operation fails. The code fails to unanchor the URB, so the kernel’s anchored list never becomes empty. During driver cleanup, usb_kill_anchored_urbs() enters an infinite loop, consuming CPU and preventing the driver from releasing resources. This flaw can result in a service interruption or kernel lock‑up in systems that use the CAN bus subsystem.

Affected Systems

Affected systems are Linux kernel users with the gs_usb driver, specifically kernel releases 6.12.67, 6.18.7, and 6.19 rc6, as well as any kernel built from the same source that includes the same driver code.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog. An attacker would need to interact with the CAN USB subsystem, likely with kernel‑level privileges or via an application that triggers the driver’s cleanup, such as closing a device file. While no public exploit is known, the infinite loop could be triggered by malformed or failed CAN USB requests, making it a viable denial‑of‑service vector in environments where the CAN bus is used.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`9c151898cc259a7784be60ba38664f42ede39b31`	affected	< da01de754e455e2598a7f1ce4ff2078c4f0ecde1
`ec5ccc2af9e5b045671f3f604b57512feda8bcc5`	affected	< aa8a8866c533a150be4763bcb27993603bd5426c
`f905bcfa971edb89e398c98957838d8c6381c0c7`	affected	< ce4352057fc5a986c76ece90801b9755e7c6e56c
`08624b7206ddb9148eeffc2384ebda2c47b6d1e9`	affected	< c610b550ccc0438d456dfe1df9f4f36254ccaae3
`9f669a38ca70839229b7ba0f851820850a2fe1f7`	affected	< c3edc14da81a8d8398682f6e4ab819f09f37c0b7
`7352e1d5932a0e777e39fa4b619801191f57e603`	affected	< 79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7

Linux

unaffected

Version	Status	Constraints
`6.12.67`	affected	< 6.12.68
`6.18.7`	affected	< 6.18.8

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel:6.12.67:::::::*
	cpe:2.3:o:linux:linux_kernel:6.18.7:::::::*
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a release that includes the fix for gs_usb_receive_bulk_callback() (e.g., a kernel newer than 6.12.67 that incorporates commit 7352e1d5932a).
If an immediate kernel upgrade is not possible, disable the gs_usb CAN USB driver or unload the CAN subsystem modules to prevent the fault from being triggered.
Reboot the system after applying the patch or after disabling the driver to clear any existing anchored URBs and restore normal operation.

Generated by OpenCVE AI on April 17, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7
https://git.kernel.org/stable/c/aa8a8866c533a150be4763bcb27993603bd5426c
https://git.kernel.org/stable/c/c3edc14da81a8d8398682f6e4ab819f09f37c0b7
https://git.kernel.org/stable/c/c610b550ccc0438d456dfe1df9f4f36254ccaae3
https://git.kernel.org/stable/c/ce4352057fc5a986c76ece90801b9755e7c6e56c
https://git.kernel.org/stable/c/da01de754e455e2598a7f1ce4ff2078c4f0ecde1
https://lore.kernel.org/linux-cve-announce/2026020422-CVE-2026-23082-7bc8@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23082
https://www.cve.org/CVERecord?id=CVE-2026-23082

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/da01de754e455e2598a7f1ce4ff2078c4f0ecde1

Wed, 18 Mar 2026 13:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-835
CPEs		cpe:2.3:o:linux:linux_kernel:6.12.67:::::::* cpe:2.3:o:linux:linux_kernel:6.18.7:::::::* cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 06 Feb 2026 16:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/aa8a8866c533a150be4763bcb27993603bd5426c

Thu, 05 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026020422-CVE-2026-23082-7bc8@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23082 https://www.cve.org/CVERecord?id=CVE-2026-23082

Wed, 04 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"), the URB was re-anchored before usb_submit_urb() in gs_usb_receive_bulk_callback() to prevent a leak of this URB during cleanup. However, this patch did not take into account that usb_submit_urb() could fail. The URB remains anchored and usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops infinitely since the anchor list never becomes empty. To fix the bug, unanchor the URB when an usb_submit_urb() error occurs, also print an info message.
Title		can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7 https://git.kernel.org/stable/c/c3edc14da81a8d8398682f6e4ab819f09f37c0b7 https://git.kernel.org/stable/c/c610b550ccc0438d456dfe1df9f4f36254ccaae3 https://git.kernel.org/stable/c/ce4352057fc5a986c76ece90801b9755e7c6e56c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-02-04T16:08:06.731Z

Updated: 2026-04-18T08:57:15.950Z

Reserved: 2026-01-13T15:37:45.960Z

Link: CVE-2026-23082

Vulnrichment

No data.

NVD

Status : Modified

Published: 2026-02-04T17:16:19.060

Modified: 2026-04-18T09:16:13.530

Link: CVE-2026-23082

Redhat

Severity :

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23082 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T23:45:25Z

Weaknesses

CWE-835

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object