CVE-2026-23324 - Vulnerability Details

- can: usb: etas_es58x: correctly anchor the urb in the read bulk callback

Description

In the Linux kernel, the following vulnerability has been resolved:

can: usb: etas_es58x: correctly anchor the urb in the read bulk callback

When submitting an urb, that is using the anchor pattern, it needs to be
anchored before submitting it otherwise it could be leaked if
usb_kill_anchored_urbs() is called. This logic is correctly done
elsewhere in the driver, except in the read bulk callback so do that
here also.

Published: 2026-03-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is in the Linux kernel USB driver for etas_es58x. When an URB that should be anchored is processed in the read bulk callback, it is not anchored before submission. If usb_kill_anchored_urbs is later invoked, the URB can be leaked, causing an unreleased kernel resource. This improper release leads to a resource leak that could allow an attacker to consume kernel memory or other resources until the system becomes unresponsive. The vulnerability corresponds to CWE-772: Improper Release of Resource after Effective Lifetime.

Affected Systems

All Linux kernel releases that include the etas_es58x USB driver and have not applied the fix are affected. The vulnerable code is present in kernel versions preceding the commit that introduced the anchor logic; relevant releases include 5.13 and the 7.0 development releases (RC1 through RC7).

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity vulnerability. The EPSS score is below 1 %, and the issue is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation. Based on the description, it is inferred that the attack vector would be local and would require an attacker to interact with the USB device to trigger the read bulk callback, which may be achievable by plugging a malicious device or by compromising the host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`8537257874e949a59c834cecfd5a063e11b64b0b`	affected	< 7a0171b4921ad443fee5ed4fcb9d99fa4776edac
`8537257874e949a59c834cecfd5a063e11b64b0b`	affected	< 2185ea6e4ebcb61d1224dc7d187c59723cb5ad59
`8537257874e949a59c834cecfd5a063e11b64b0b`	affected	< f6e90c113c92e83fc0963d5e60e16b0e8a268981
`8537257874e949a59c834cecfd5a063e11b64b0b`	affected	< b878444519fa03a3edd287d1963cf79ef78be2f1
`8537257874e949a59c834cecfd5a063e11b64b0b`	affected	< 18eee279e9b5bff0db1aca9475ae4bc12804f05c
`8537257874e949a59c834cecfd5a063e11b64b0b`	affected	< b8f9ca88253574638bcff38900a4c28d570b1919
`8537257874e949a59c834cecfd5a063e11b64b0b`	affected	< 5eaad4f768266f1f17e01232ffe2ef009f8129b7

Linux

affected

Version	Status	Constraints
`5.13`	affected	—
`0`	unaffected	< 5.13
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.77`	unaffected	≤ 6.12.*
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:5.13:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[8537257874e949a59c834cecfd5a063e11b64b0b,2185ea6e4ebcb61d1224dc7d187c59723cb5ad59)`	affected	code_commit	—
`[8537257874e949a59c834cecfd5a063e11b64b0b,f6e90c113c92e83fc0963d5e60e16b0e8a268981)`	affected	code_commit	—
`[8537257874e949a59c834cecfd5a063e11b64b0b,b878444519fa03a3edd287d1963cf79ef78be2f1)`	affected	code_commit	—
`[8537257874e949a59c834cecfd5a063e11b64b0b,18eee279e9b5bff0db1aca9475ae4bc12804f05c)`	affected	code_commit	—
`[8537257874e949a59c834cecfd5a063e11b64b0b,b8f9ca88253574638bcff38900a4c28d570b1919)`	affected	code_commit	—
`[8537257874e949a59c834cecfd5a063e11b64b0b,5eaad4f768266f1f17e01232ffe2ef009f8129b7)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.13`	affected	generic	—
`[0,5.13)`	unaffected	generic	—
`[6.1.167,7.0.0)`	unaffected	semver	—
`[6.6.130,7.0.0)`	unaffected	semver	—
`[6.12.77,7.0.0)`	unaffected	semver	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc3,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that contains the commit anchoring the URB in the read bulk callback.
If an immediate kernel upgrade is not possible, disable or remove the etas_es58x driver module to eliminate the vulnerability.
Continuously monitor logs for usb_kill_anchored_urbs activity and for signs of memory exhaustion that could indicate exploitation.

Generated by OpenCVE AI on April 29, 2026 at 00:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/18eee279e9b5bff0db1aca9475ae4bc12804f05c
https://git.kernel.org/stable/c/2185ea6e4ebcb61d1224dc7d187c59723cb5ad59
https://git.kernel.org/stable/c/5eaad4f768266f1f17e01232ffe2ef009f8129b7
https://git.kernel.org/stable/c/7a0171b4921ad443fee5ed4fcb9d99fa4776edac
https://git.kernel.org/stable/c/b878444519fa03a3edd287d1963cf79ef78be2f1
https://git.kernel.org/stable/c/b8f9ca88253574638bcff38900a4c28d570b1919
https://git.kernel.org/stable/c/f6e90c113c92e83fc0963d5e60e16b0e8a268981
https://lore.kernel.org/linux-cve-announce/2026032531-CVE-2026-23324-bc9e@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23324
https://www.cve.org/CVERecord?id=CVE-2026-23324

History

Thu, 23 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:5.13:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/7a0171b4921ad443fee5ed4fcb9d99fa4776edac

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416 CWE-778

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026032531-CVE-2026-23324-bc9e@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23324 https://www.cve.org/CVERecord?id=CVE-2026-23324

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416 CWE-778

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: can: usb: etas_es58x: correctly anchor the urb in the read bulk callback When submitting an urb, that is using the anchor pattern, it needs to be anchored before submitting it otherwise it could be leaked if usb_kill_anchored_urbs() is called. This logic is correctly done elsewhere in the driver, except in the read bulk callback so do that here also.
Title		can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/18eee279e9b5bff0db1aca9475ae4bc12804f05c https://git.kernel.org/stable/c/2185ea6e4ebcb61d1224dc7d187c59723cb5ad59 https://git.kernel.org/stable/c/5eaad4f768266f1f17e01232ffe2ef009f8129b7 https://git.kernel.org/stable/c/b878444519fa03a3edd287d1963cf79ef78be2f1 https://git.kernel.org/stable/c/b8f9ca88253574638bcff38900a4c28d570b1919 https://git.kernel.org/stable/c/f6e90c113c92e83fc0963d5e60e16b0e8a268981

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:27:17.476Z

Updated: 2026-04-18T08:57:57.249Z

Reserved: 2026-01-13T15:37:45.996Z

Link: CVE-2026-23324

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-03-25T11:16:29.377

Modified: 2026-04-23T21:05:15.090

Link: CVE-2026-23324

Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23324 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-29T00:45:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object