CVE-2026-23080 in Linuxinfo

Summary

by MITRE • 02/04/2026

In the Linux kernel, the following vulnerability has been resolved:

can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak

Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak").

In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback mcba_usb_read_bulk_callback(), the URBs are processed and resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted).

However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs().

Fix the memory leak by anchoring the URB in the mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/03/2026

The vulnerability identified as CVE-2026-23080 represents a critical memory management flaw within the Linux kernel's CAN (Controller Area Network) subsystem, specifically affecting the mcba_usb driver implementation. This issue manifests as a persistent memory leak that occurs during USB communication processing, fundamentally compromising system resource utilization and potentially leading to system instability over extended periods of operation. The vulnerability is classified under CWE-401 as a failure to release memory resources, directly impacting the kernel's ability to maintain proper memory allocation during ongoing USB data transfer operations.

The technical root cause stems from improper URB (USB Request Block) memory management within the mcba_usb driver's callback handling mechanism. During normal operation, the driver allocates URBs for USB-in transfers in the mcba_usb_probe function and subsequently submits them to the USB framework. The mcba_usb_read_bulk_callback serves as the completion handler where these URBs are processed and resubmitted for continued data reception. However, the Linux USB subsystem automatically unanchors URBs before invoking the completion callback function, creating a critical timing gap where URBs remain unmanaged and unreleased. This behavior directly contradicts the expected workflow where all allocated URBs should remain anchored until explicit cleanup occurs.

The operational impact of this vulnerability extends beyond simple memory consumption, potentially leading to system resource exhaustion that could affect the entire CAN communication infrastructure within automotive and industrial systems. The memory leak accumulates over time as completed URBs are not properly released back to the system, eventually depleting available memory resources and potentially causing system crashes or degraded performance. This vulnerability particularly affects embedded systems and automotive platforms that rely heavily on CAN bus communications, where continuous data flow and reliable memory management are critical for system stability and safety.

The fix implemented addresses this issue by modifying the mcba_usb_read_bulk_callback function to properly anchor URBs to the priv->rx_submitted anchor immediately upon receipt of completion notifications. This approach mirrors the successful resolution pattern established in a similar fix for the gs_usb driver (commit 7352e1d5932a), ensuring consistency across the kernel's USB CAN driver implementations. The solution maintains the existing URB lifecycle management while correcting the anchoring timing to prevent the memory leak. This remediation aligns with the ATT&CK framework's defense evasion techniques by ensuring proper resource management and preventing potential exploitation through resource exhaustion attacks. The fix ensures that all URBs are properly accounted for throughout their complete lifecycle, maintaining kernel stability and preventing unauthorized resource consumption that could compromise system integrity and availability.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00123

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!