CVE-2026-46103 - Vulnerability Details

- can: ucan: fix devres lifetime

Description

In the Linux kernel, the following vulnerability has been resolved:

can: ucan: fix devres lifetime

USB drivers bind to USB interfaces and any device managed resources
should have their lifetime tied to the interface rather than parent USB
device. This avoids issues like memory leaks when drivers are unbound
without their devices being physically disconnected (e.g. on probe
deferral or configuration changes).

Fix the control message buffer lifetime so that it is released on driver
unbind.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the Linux kernel arises from improper handling of device‑managed resources in USB drivers. When a driver is unbound—without the corresponding USB device being physically disconnected— the associated control message buffer remains allocated. This oversight causes memory leaks that can lead to resource exhaustion or system instability in affected kernel versions. The likely attack vector is local privileged access that triggers repeated bind and unbind operations, potentially allowing an attacker to exhaust kernel memory.

Affected Systems

All Linux kernel releases that contain the legacy USB driver code before the commit that fixes devres lifetime are affected. The issue is tied to the can: ucan subsystem and USB interface management. No specific minor release numbers are listed, so all kernel versions preceding the described fix are impacted.

Risk and Exploitability

The CVSS score is not provided and the EPSS score is not available, so the exploitation likelihood cannot be quantified from the data. The flaw is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been observed. However, a local privileged attacker could exploit the memory leak by repeatedly unbinding drivers, potentially leading to a denial of service. Remote exploitation would require privileged access to invoke driver operations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`9f2d3eae88d26c29d96e42983b755940d9169cd9`	affected	< 4b7d07747400cfd7eff1ba7b8b5a7c8d5a58f705
`9f2d3eae88d26c29d96e42983b755940d9169cd9`	affected	< 10b7b676b78a7bd888d19729b459aad7fc1f428b
`9f2d3eae88d26c29d96e42983b755940d9169cd9`	affected	< c524c124e3094d2de12235a513854c03d06a2b58
`9f2d3eae88d26c29d96e42983b755940d9169cd9`	affected	< c0d3ccc6929e4509076df8f30a4fb1dc5018b0ae
`9f2d3eae88d26c29d96e42983b755940d9169cd9`	affected	< fed4626501c871890da287bec62a96e52da1af89

Linux

affected

Version	Status	Constraints
`4.19`	affected	—
`0`	unaffected	< 4.19
`6.6.140`	unaffected	≤ 6.6.*
`6.12.86`	unaffected	≤ 6.12.*
`6.18.27`	unaffected	≤ 6.18.*
`7.0.4`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the commit that fixes devres lifetime.
If an immediate kernel upgrade is not possible, validate that driver unbind operations correctly free resources and monitor memory consumption on critical systems.
Apply the patch from the kernel repository commits cited in the references for custom kernel builds.

Generated by OpenCVE AI on May 27, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/10b7b676b78a7bd888d19729b459aad7fc1f428b
https://git.kernel.org/stable/c/4b7d07747400cfd7eff1ba7b8b5a7c8d5a58f705
https://git.kernel.org/stable/c/c0d3ccc6929e4509076df8f30a4fb1dc5018b0ae
https://git.kernel.org/stable/c/c524c124e3094d2de12235a513854c03d06a2b58
https://git.kernel.org/stable/c/fed4626501c871890da287bec62a96e52da1af89

History

Wed, 27 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-229

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: can: ucan: fix devres lifetime USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the control message buffer lifetime so that it is released on driver unbind.
Title		can: ucan: fix devres lifetime
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/10b7b676b78a7bd888d19729b459aad7fc1f428b https://git.kernel.org/stable/c/4b7d07747400cfd7eff1ba7b8b5a7c8d5a58f705 https://git.kernel.org/stable/c/c0d3ccc6929e4509076df8f30a4fb1dc5018b0ae https://git.kernel.org/stable/c/c524c124e3094d2de12235a513854c03d06a2b58 https://git.kernel.org/stable/c/fed4626501c871890da287bec62a96e52da1af89

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:59:11.533Z

Updated: 2026-05-27T12:59:11.533Z

Reserved: 2026-05-13T15:03:33.097Z

Link: CVE-2026-46103

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:32.457

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46103

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T18:00:15Z

Weaknesses

CWE-229

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object