CVE-2026-23058 in Linux
Summary
by MITRE • 02/04/2026
In the Linux kernel, the following vulnerability has been resolved:
can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak").
In ems_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In ems_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted).
However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in ems_usb_close().
Fix the memory leak by anchoring the URB in the ems_usb_read_bulk_callback() to the dev->rx_submitted anchor.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/30/2026
The vulnerability CVE-2026-23058 represents a memory leak in the Linux kernel's CAN (Controller Area Network) subsystem specifically within the ems_usb driver module. This flaw affects the handling of USB transfer requests and occurs in the context of automotive and industrial communication systems where reliable data transmission is critical. The issue manifests in the ems_usb_read_bulk_callback function which processes completed USB requests for receiving data from CAN devices connected via USB interface.
The technical root cause stems from improper URB (USB Request Block) memory management within the USB subsystem integration. When the ems_usb_open function initializes USB communication, it allocates URBs for incoming data transfers and adds them to the dev->rx_submitted anchor before submitting them to the USB framework. The normal operation flow involves these URBs being processed by ems_usb_read_bulk_callback and then resubmitted for continued operation. However, the Linux USB subsystem automatically unanchors URBs before invoking the completion callback function, which creates a critical gap in memory management. This automatic unanchoring means that by the time ems_usb_close attempts to clean up resources by calling usb_kill_anchored_urbs(&dev->rx_submitted), many URBs have already been removed from the anchor list and remain unreleased, leading to memory leaks that accumulate over time.
The operational impact of this vulnerability extends beyond simple memory consumption issues as it represents a potential denial of service vector in embedded systems and automotive applications where memory resources are constrained. The memory leak can progressively degrade system performance, potentially leading to complete system failure in resource-constrained environments. This vulnerability directly relates to CWE-401: Improper Release of Memory and aligns with ATT&CK technique T1499.004: Endpoint Denial of Service, as it can cause system instability through resource exhaustion. The flaw is particularly concerning in automotive contexts where CAN bus communication is fundamental to vehicle control systems, as memory leaks could compromise safety-critical operations.
The fix implemented addresses this issue by modifying the ems_usb_read_bulk_callback function to re-anchor URBs to the dev->rx_submitted anchor before processing them. This ensures that even after the USB framework automatically unanchors the URBs, the driver maintains proper control over their lifecycle management. The solution mirrors a previously implemented fix in the gs_usb driver (commit 7352e1d5932a) demonstrating a consistent approach to resolving similar memory management issues across the CAN USB subsystem. This remediation maintains the expected behavior of the USB communication while ensuring proper resource cleanup during driver shutdown operations, thereby preventing the accumulation of unreleased URB memory that could eventually impact system stability and performance in automotive and industrial applications.