Description
In the Linux kernel, the following vulnerability has been resolved:

can: usb: f81604: handle short interrupt urb messages properly

If an interrupt urb is received that is not the correct length, properly
detect it and don't attempt to treat the data as valid.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption in Linux CAN USB Driver
Action: Patch Now
AI Analysis

Impact

The f81604 CAN USB driver in the Linux kernel was found to accept interrupt URBs that were shorter than expected without proper validation. Because the driver treats the truncated data as valid, it can read beyond allocated buffers, potentially corrupting kernel memory. This flaw is identified as CWE‑131 and can lead to a kernel crash, compromising the availability of the system and possibly affecting confidentiality and integrity if an attacker can read corrupted data.

Affected Systems

All Linux kernel installations that include the f81604 CAN USB driver before the patch commits are affected. The advisory does not list specific kernel releases, so any build of the kernel containing the driver prior to the referenced commits may be vulnerable. Updated kernels incorporating those commits are expected to be protected.

Risk and Exploitability

The likelihood of exploitation is low, with an EPSS score below 1% and no listing in the CISA KEV catalog. Exploitation would require physical or local access to a USB device that routes through the vulnerable driver. If an attacker can supply crafted USB traffic, the flaw could be used to cause a denial‑of‑service or memory corruption but is unlikely to provide remote code execution.

Generated by OpenCVE AI on March 26, 2026 at 14:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the f81604 interrupt URB handling patches referenced in the kernel commit logs.
  • If a kernel upgrade is not immediately feasible, unload or disable the f81604 CAN driver to eliminate the vulnerability.
  • Restrict access to USB devices that utilize the f81604 driver by implementing device trust filtering or kernel module blacklisting.
  • Monitor kernel logs for abnormal URB messages or repeated "short interrupt" warnings to detect potential exploitation attempts.

Generated by OpenCVE AI on March 26, 2026 at 14:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.5:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: can: usb: f81604: handle short interrupt urb messages properly If an interrupt urb is received that is not the correct length, properly detect it and don't attempt to treat the data as valid.
Title can: usb: f81604: handle short interrupt urb messages properly
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:05:15.133Z

Reserved: 2026-01-13T15:37:45.997Z

Link: CVE-2026-23334

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:30.903

Modified: 2026-04-23T21:13:15.427

Link: CVE-2026-23334

cve-icon Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23334 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:49:39Z

Weaknesses