{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23324", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.996Z", "datePublished": "2026-03-25T10:27:17.476Z", "dateUpdated": "2026-03-25T10:27:17.476Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:17.476Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: usb: etas_es58x: correctly anchor the urb in the read bulk callback\n\nWhen submitting an urb, that is using the anchor pattern, it needs to be\nanchored before submitting it otherwise it could be leaked if\nusb_kill_anchored_urbs() is called. This logic is correctly done\nelsewhere in the driver, except in the read bulk callback so do that\nhere also."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/etas_es58x/es58x_core.c"], "versions": [{"version": "8537257874e949a59c834cecfd5a063e11b64b0b", "lessThan": "2185ea6e4ebcb61d1224dc7d187c59723cb5ad59", "status": "affected", "versionType": "git"}, {"version": "8537257874e949a59c834cecfd5a063e11b64b0b", "lessThan": "f6e90c113c92e83fc0963d5e60e16b0e8a268981", "status": "affected", "versionType": "git"}, {"version": "8537257874e949a59c834cecfd5a063e11b64b0b", "lessThan": "b878444519fa03a3edd287d1963cf79ef78be2f1", "status": "affected", "versionType": "git"}, {"version": "8537257874e949a59c834cecfd5a063e11b64b0b", "lessThan": "18eee279e9b5bff0db1aca9475ae4bc12804f05c", "status": "affected", "versionType": "git"}, {"version": "8537257874e949a59c834cecfd5a063e11b64b0b", "lessThan": "b8f9ca88253574638bcff38900a4c28d570b1919", "status": "affected", "versionType": "git"}, {"version": "8537257874e949a59c834cecfd5a063e11b64b0b", "lessThan": "5eaad4f768266f1f17e01232ffe2ef009f8129b7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/etas_es58x/es58x_core.c"], "versions": [{"version": "5.13", "status": "affected"}, {"version": "0", "lessThan": "5.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2185ea6e4ebcb61d1224dc7d187c59723cb5ad59"}, {"url": "https://git.kernel.org/stable/c/f6e90c113c92e83fc0963d5e60e16b0e8a268981"}, {"url": "https://git.kernel.org/stable/c/b878444519fa03a3edd287d1963cf79ef78be2f1"}, {"url": "https://git.kernel.org/stable/c/18eee279e9b5bff0db1aca9475ae4bc12804f05c"}, {"url": "https://git.kernel.org/stable/c/b8f9ca88253574638bcff38900a4c28d570b1919"}, {"url": "https://git.kernel.org/stable/c/5eaad4f768266f1f17e01232ffe2ef009f8129b7"}], "title": "can: usb: etas_es58x: correctly anchor the urb in the read bulk callback", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: usb: etas_es58x: correctly anchor the urb in the read bulk callback\n\nWhen submitting an urb, that is using the anchor pattern, it needs to be\nanchored before submitting it otherwise it could be leaked if\nusb_kill_anchored_urbs() is called. This logic is correctly done\nelsewhere in the driver, except in the read bulk callback so do that\nhere also."}], "id": "CVE-2026-23324", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:29.377", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/18eee279e9b5bff0db1aca9475ae4bc12804f05c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2185ea6e4ebcb61d1224dc7d187c59723cb5ad59"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5eaad4f768266f1f17e01232ffe2ef009f8129b7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b878444519fa03a3edd287d1963cf79ef78be2f1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b8f9ca88253574638bcff38900a4c28d570b1919"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f6e90c113c92e83fc0963d5e60e16b0e8a268981"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: can: usb: etas_es58x: correctly anchor the urb in the read bulk callback", "id": "2451214", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451214"}, "csaw": false, "cwe": "CWE-772", "details": ["A flaw was found in the Linux kernel's etas_es58x USB CAN bus driver. The driver fails to correctly anchor the USB Request Block (urb) in the read bulk callback. This oversight can lead to a memory leak if usb_kill_anchored_urbs() is called without the urb being properly anchored. The continuous leakage of memory could result in system instability or a Denial of Service (DoS)."], "name": "CVE-2026-23324", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23324\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23324\nhttps://lore.kernel.org/linux-cve-announce/2026032531-CVE-2026-23324-bc9e@gregkh/T"]}

{"analysis": {"en": {"generated_at": "2026-03-25T11:44:30.516666+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the fix for the etas_es58x driver. If an update is not immediately available, remove or disable the specific USB device to prevent further interaction with the vulnerable driver. Monitor system logs for potentially related usb_kill_anchored_urbs events that may indicate instability. Verify that the kernel patch has been applied by checking the commit identifiers referenced in the advisory."], "summary": {"action": "Apply Update", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw exists in the Linux kernel USB subsystem, specifically the etas_es58x driver that interfaces with certain USB devices. Any system running a kernel version that contains this driver before the patch is potentially affected. No specific kernel version ranges are listed in the advisory.", "description_and_impact": "The etas_es58x USB driver did not anchor URBs during the read bulk callback. Without anchoring, if usb_kill_anchored_urbs is invoked, the URB may be released unexpectedly, leading to memory corruption or kernel instability that can crash the system, resulting in a denial of service.", "risk_and_exploitability": "No CVSS score or EPSS data is available, and the vulnerability is not listed in the KEV catalog, indicating limited known exploitation. The missing anchor is a local issue, requiring the attacker to have the ability to communicate with the affected USB device or otherwise influence the driver. Since it could trigger a kernel crash, the risk is moderate but exploitability is low in typical scenarios."}}}}, "created": "2026-03-25T21:27:37.090003+00:00", "updated": "2026-03-25T21:27:37.090032+00:00", "vendors": [], "weaknesses": ["CWE-416", "CWE-778"]}