CVE-2026-23155 in Linux
Summary
by MITRE • 02/14/2026
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: gs_usb_receive_bulk_callback(): fix error message
Sinc commit 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error") a failing resubmit URB will print an info message.
In the case of a short read where netdev has not yet been assigned, initialize as NULL to avoid dereferencing an undefined value. Also report the error value of the failed resubmit.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/19/2026
The vulnerability CVE-2026-23155 addresses a critical issue within the Linux kernel's CAN (Controller Area Network) subsystem, specifically affecting the gs_usb driver implementation. This flaw exists in the gs_usb_receive_bulk_callback function which handles bulk USB data reception for USB-based CAN devices. The vulnerability stems from improper error handling during USB Request Block (URB) resubmission operations, creating potential security and stability risks for systems utilizing USB CAN interfaces.
The technical implementation of this vulnerability involves a regression in the commit 79a6d1bfe114 where the error handling for failed URB resubmissions was modified. When a USB transfer fails during the resubmission process, the system now prints an informational message instead of properly managing the error state. However, this change introduces a race condition and undefined behavior when dealing with short reads where the network device structure has not yet been assigned to the USB device context. The function fails to initialize the netdev pointer as NULL in these error scenarios, leading to potential dereferencing of uninitialized memory locations.
The operational impact of this vulnerability manifests in several security and stability concerns that align with CWE-476 (NULL Pointer Dereference) and CWE-248 (Uncaught Exception). Systems running Linux kernels with affected gs_usb drivers may experience kernel panics or undefined behavior when USB CAN devices encounter transfer errors, particularly during device initialization phases. The error reporting mechanism also suffers from incomplete error value propagation, making debugging and forensic analysis more difficult for system administrators and security analysts.
The vulnerability creates a pathway for potential denial-of-service attacks against systems relying on USB CAN interfaces, as malicious actors could potentially trigger the error condition repeatedly to destabilize kernel operations. This aligns with ATT&CK technique T1499.004 (Endpoint Denial of Service) where adversaries target device drivers to cause system instability. The issue particularly affects automotive systems, industrial control networks, and embedded devices that depend on reliable CAN communication through USB interfaces, where kernel crashes could lead to critical system failures.
Mitigation strategies should focus on applying the latest kernel patches that address the specific error handling in the gs_usb driver, ensuring proper initialization of device pointers and complete error value reporting. System administrators should also implement monitoring solutions to detect unusual USB device behavior and consider isolating critical systems from potentially compromised USB CAN interfaces. The fix requires careful attention to the URB resubmission logic and proper null pointer validation before device context operations, following established kernel security practices and maintaining compliance with security standards for embedded systems communication protocols.