{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23031", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.942Z", "datePublished": "2026-01-31T11:42:09.276Z", "dateUpdated": "2026-05-11T21:58:40.032Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:58:40.032Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak\n\nIn gs_can_open(), the URBs for USB-in transfers are allocated, added to the\nparent->rx_submitted anchor and submitted. In the complete callback\ngs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In\ngs_can_close() the URBs are freed by calling\nusb_kill_anchored_urbs(parent->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in gs_can_close().\n\nFix the memory leak by anchoring the URB in the\ngs_usb_receive_bulk_callback() to the parent->rx_submitted anchor."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/gs_usb.c"], "versions": [{"version": "d08e973a77d128b25e01a08c34d89593fdf222da", "lessThan": "9c151898cc259a7784be60ba38664f42ede39b31", "status": "affected", "versionType": "git"}, {"version": "d08e973a77d128b25e01a08c34d89593fdf222da", "lessThan": "ec5ccc2af9e5b045671f3f604b57512feda8bcc5", "status": "affected", "versionType": "git"}, {"version": "d08e973a77d128b25e01a08c34d89593fdf222da", "lessThan": "f905bcfa971edb89e398c98957838d8c6381c0c7", "status": "affected", "versionType": "git"}, {"version": "d08e973a77d128b25e01a08c34d89593fdf222da", "lessThan": "08624b7206ddb9148eeffc2384ebda2c47b6d1e9", "status": "affected", "versionType": "git"}, {"version": "d08e973a77d128b25e01a08c34d89593fdf222da", "lessThan": "9f669a38ca70839229b7ba0f851820850a2fe1f7", "status": "affected", "versionType": "git"}, {"version": "d08e973a77d128b25e01a08c34d89593fdf222da", "lessThan": "7352e1d5932a0e777e39fa4b619801191f57e603", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/gs_usb.c"], "versions": [{"version": "3.16", "status": "affected"}, {"version": "0", "lessThan": "3.16", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.67", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.7", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "6.12.67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "6.18.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9c151898cc259a7784be60ba38664f42ede39b31"}, {"url": "https://git.kernel.org/stable/c/ec5ccc2af9e5b045671f3f604b57512feda8bcc5"}, {"url": "https://git.kernel.org/stable/c/f905bcfa971edb89e398c98957838d8c6381c0c7"}, {"url": "https://git.kernel.org/stable/c/08624b7206ddb9148eeffc2384ebda2c47b6d1e9"}, {"url": "https://git.kernel.org/stable/c/9f669a38ca70839229b7ba0f851820850a2fe1f7"}, {"url": "https://git.kernel.org/stable/c/7352e1d5932a0e777e39fa4b619801191f57e603"}], "title": "can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak\n\nIn gs_can_open(), the URBs for USB-in transfers are allocated, added to the\nparent->rx_submitted anchor and submitted. In the complete callback\ngs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In\ngs_can_close() the URBs are freed by calling\nusb_kill_anchored_urbs(parent->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in gs_can_close().\n\nFix the memory leak by anchoring the URB in the\ngs_usb_receive_bulk_callback() to the parent->rx_submitted anchor."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): corregir fuga de memoria de URB\n\nEn gs_can_open(), los URB para transferencias USB de entrada son asignados, a\u00f1adidos al ancla parent->rx_submitted y enviados. En la funci\u00f3n de devoluci\u00f3n de llamada completa gs_usb_receive_bulk_callback(), el URB es procesado y reenviado. En gs_can_close(), los URB son liberados llamando a usb_kill_anchored_urbs(parent->rx_submitted).\n\nSin embargo, esto no tiene en cuenta que el framework USB desancla el URB antes de que se llame a la funci\u00f3n completa. Esto significa que una vez que un URB de entrada ha sido completado, ya no est\u00e1 anclado y finalmente no es liberado en gs_can_close().\n\nCorregir la fuga de memoria anclando el URB en gs_usb_receive_bulk_callback() al ancla parent->rx_submitted."}], "id": "CVE-2026-23031", "lastModified": "2026-04-18T09:16:13.360", "metrics": {}, "published": "2026-01-31T12:16:06.413", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/08624b7206ddb9148eeffc2384ebda2c47b6d1e9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7352e1d5932a0e777e39fa4b619801191f57e603"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9c151898cc259a7784be60ba38664f42ede39b31"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9f669a38ca70839229b7ba0f851820850a2fe1f7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ec5ccc2af9e5b045671f3f604b57512feda8bcc5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f905bcfa971edb89e398c98957838d8c6381c0c7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak", "id": "2435661", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2435661"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23031", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23031\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23031\nhttps://lore.kernel.org/linux-cve-announce/2026013120-CVE-2026-23031-9e82@gregkh/T"], "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T20:38:03.542963+00:00", "value": {"mitigation_remediation": ["Upgrade the kernel to a release that contains the gs_usb URB anchoring patch.", "If an upgrade cannot be performed immediately, unload or disable the gs_usb module or block USB CAN devices to stop the memory leak in action.", "Continuously monitor kernel memory usage; if usage rises unexpectedly, restart the system or apply the kernel patch promptly."], "summary": {"action": "Upgrade Kernel", "impact": "Denial of Service from kernel memory exhaustion"}, "threat_synthesis": {"affected_systems": "All Linux kernel versions that embed the gs_usb CAN USB driver and have not incorporated the commit that re\u2011anchors pending URBs are affected. That includes mainline kernels and distributions that ship the unpatched gs_usb module. Any kernel before the fix remains vulnerable, regardless of distribution or patch level.", "description_and_impact": "The gs_usb driver manages CAN bus devices over USB. Its bulk\u2011transfer routine allocates URBs, submits them, and processes them in gs_usb_receive_bulk_callback. When a URB completes, the USB subsystem removes it from the anchored list before invoking the callback, but the callback then resubmits the URB without re\u2011anchoring it. The URB is therefore never freed by gs_can_close, leading to a memory leak that grows with each transfer. Over time this can exhaust kernel memory, causing out\u2011of\u2011memory situations and potentially destabilizing the operating system. This flaw is a resource\u2011management weakness (CWE\u2011401).", "risk_and_exploitability": "The CVSS score of 7.0 points to high severity, while the EPSS rank of less than 1\u202f% indicates a low probability of exploitation. Exploitation requires the system to process repeated USB bulk transfers to a CAN device, which typically means the device must be physically connected or an attacker must have privileged access. There is no remote code execution or elevation of privilege path documented, so the attack vector is inferred to be local device\u2011based."}}}}, "created": "2026-04-18T20:45:05.720754+00:00", "updated": "2026-04-18T20:45:05.720766+00:00", "vendors": [], "weaknesses": ["CWE-401", "CWE-400"]}