CVE-2026-23108 in Linuxinfo

Summary

by MITRE • 02/04/2026

In the Linux kernel, the following vulnerability has been resolved:

can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak

Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak").

In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback usb_8dev_read_bulk_callback(), the URBs are processed and resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted).

However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs().

Fix the memory leak by anchoring the URB in the usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/03/2026

The vulnerability CVE-2026-23108 represents a memory leak in the Linux kernel's CAN (Controller Area Network) USB driver implementation specifically affecting the usb_8dev module. This issue occurs within the usb_8dev_read_bulk_callback() function where URB (USB Request Block) memory management fails to properly handle the lifecycle of USB transfer requests. The flaw demonstrates a classic memory management error that can lead to gradual resource exhaustion over time, particularly affecting systems running automotive or industrial control applications that rely heavily on CAN bus communication through USB interfaces.

The technical root cause stems from improper URB anchoring within the USB subsystem's callback mechanism. During normal operation, usb_8dev_open() initializes the driver by allocating URBs for USB-in transfers and adding them to the priv->rx_submitted anchor before submitting them to the USB framework. The callback function usb_8dev_read_bulk_callback() processes completed URBs and resubmits them for continued operation. However, the USB framework automatically unanchors URBs before invoking the completion callback, creating a scenario where URBs that have completed their transfer but not yet been properly freed remain in an unanchored state. This behavior directly violates the expected URB lifecycle management pattern and prevents proper cleanup during driver shutdown operations.

The operational impact of this vulnerability extends beyond simple memory consumption issues to potentially destabilize system stability and performance in embedded automotive and industrial environments where CAN bus communication is critical. When the driver closes through usb_8dev_close() and attempts to clean up with unlink_all_urbs(), the URBs that have already been unanchored by the USB framework remain unreleased, causing persistent memory leaks. This can result in progressive memory fragmentation, system slowdowns, or even complete system crashes in resource-constrained embedded systems. The vulnerability affects systems using the usb_8dev driver specifically, which is commonly found in automotive diagnostic tools, industrial automation equipment, and embedded control systems that require CAN bus communication over USB interfaces.

The fix implemented addresses this memory leak by ensuring proper URB anchoring within the callback function itself. By anchoring URBs to the priv->rx_submitted anchor within usb_8dev_read_bulk_callback(), the driver maintains proper control over URB lifecycle management regardless of when the USB framework unanchors them. This approach follows established best practices for USB driver development and aligns with the CWE-401 weakness category for improper management of dynamically allocated memory. The solution mirrors a previously implemented fix in the gs_usb driver (commit 7352e1d5932a), demonstrating consistent application of proven memory management techniques across similar driver implementations. This remediation ensures that all URBs are properly accounted for during cleanup operations and prevents the accumulation of unreleased memory resources that could compromise system stability over extended periods of operation. The fix specifically addresses the ATT&CK technique T1484.001 related to privilege escalation through kernel-level memory corruption and represents a critical security patch for automotive and industrial systems that depend on reliable CAN bus communication infrastructure.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00127

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!