CVE-2026-23061

MEDIUM EPSS 2.4%
Published Feb 4, 20264mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Feb 4, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In kvaser_usb_remove_interfaces() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-401

Affected Products 12

VendorProductVersionRange
linuxlinux_kernel*≥3.8  –  <5.10.249
linuxlinux_kernel*≥5.11  –  <5.15.199
linuxlinux_kernel*≥5.16  –  <6.1.162
linuxlinux_kernel*≥6.2  –  <6.6.122
linuxlinux_kernel*≥6.7  –  <6.12.68
linuxlinux_kernel*≥6.13  –  <6.18.8
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/248e8e1a125fa875158df521b30f2cc7e27eeeaa
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3b1a593eab941c3f32417896cc7df564191f2482
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/40a3334ffda479c63e416e61ff086485e24401f7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7c308f7530bffafa994e0aa8dc651a312f4b9ff4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/94a7fc42e21c7d9d1c49778cd1db52de5df52a01
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c1b39fa24c140bc616f51fef4175c1743e2bb132
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d9d824582f2ec76459ffab449e9b05c7bc49645c
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/248e8e1a125fa875158df521b30f2cc7e27eeeaa
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3b1a593eab941c3f32417896cc7df564191f2482
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/40a3334ffda479c63e416e61ff086485e24401f7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7c308f7530bffafa994e0aa8dc651a312f4b9ff4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/94a7fc42e21c7d9d1c49778cd1db52de5df52a01
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c1b39fa24c140bc616f51fef4175c1743e2bb132
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d9d824582f2ec76459ffab449e9b05c7bc49645c
    Patch