The vulnerability resides in the USB subsystem of the Linux kernel, specifically the etas_es58x driver. An URB that is supposed to be anchored is not anchored in the read bulk callback, which means that if usb_kill_anchored_urbs() is later invoked the URB can be leaked. This misuse of the anchor mechanism can lead to an uncontrolled resource leak; over time an attacker could exhaust kernel memory or file descriptors, resulting in a denial‑of‑service condition for legitimate users. The weakness corresponds to CWE‑772, representing an improper release of a resource.

Only Linux kernel implementations that include the etas_es58x USB driver are affected. The issue was present before the recent commit that introduced the fix, and it applies to all kernel releases that have not yet incorporated this change. Systems running the kernel at the time of the CVE ingress will be vulnerable unless the kernel has been updated with the appropriate patch.

With an EPSS score below 1 % and no listing in the CISA KEV catalog, the likelihood of widespread exploitation is currently low. Nevertheless, the defect is exploitable by an entity that can trigger the read bulk callback – typically a local user with a malicious USB device or an attacker who has already compromised the machine. The attack would not provide privilege escalation but could disrupt services by depleting kernel resources. The impact is limited to denial of service rather than data exfiltration or code execution.