{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23058", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.952Z", "datePublished": "2026-02-04T16:07:41.337Z", "dateUpdated": "2026-05-11T21:59:11.271Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:59:11.271Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn ems_usb_open(), the URBs for USB-in transfers are allocated, added to\nthe dev->rx_submitted anchor and submitted. In the complete callback\nems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nems_usb_close() the URBs are freed by calling\nusb_kill_anchored_urbs(&dev->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in ems_usb_close().\n\nFix the memory leak by anchoring the URB in the\nems_usb_read_bulk_callback() to the dev->rx_submitted anchor."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/ems_usb.c"], "versions": [{"version": "702171adeed3607ee9603ec30ce081411e36ae42", "lessThan": "e2c71030dc464d437110bcfb367c493fd402bddb", "status": "affected", "versionType": "git"}, {"version": "702171adeed3607ee9603ec30ce081411e36ae42", "lessThan": "f48eabd15194b216030b32445f44230df95f5fe0", "status": "affected", "versionType": "git"}, {"version": "702171adeed3607ee9603ec30ce081411e36ae42", "lessThan": "61e6d3674c3d1da1475dc207b3e75c55d678d18e", "status": "affected", "versionType": "git"}, {"version": "702171adeed3607ee9603ec30ce081411e36ae42", "lessThan": "e9410fdd4d5f7eaa6526d8c80e83029d7c86a8e8", "status": "affected", "versionType": "git"}, {"version": "702171adeed3607ee9603ec30ce081411e36ae42", "lessThan": "46a191ff7eeec33a2ccb2a1bfea34e18fbc5dc1a", "status": "affected", "versionType": "git"}, {"version": "702171adeed3607ee9603ec30ce081411e36ae42", "lessThan": "68c62b3e53901846b5f68c5a8bade72a5d9c0b87", "status": "affected", "versionType": "git"}, {"version": "702171adeed3607ee9603ec30ce081411e36ae42", "lessThan": "0ce73a0eb5a27070957b67fd74059b6da89cc516", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/ems_usb.c"], "versions": [{"version": "2.6.32", "status": "affected"}, {"version": "0", "lessThan": "2.6.32", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e2c71030dc464d437110bcfb367c493fd402bddb"}, {"url": "https://git.kernel.org/stable/c/f48eabd15194b216030b32445f44230df95f5fe0"}, {"url": "https://git.kernel.org/stable/c/61e6d3674c3d1da1475dc207b3e75c55d678d18e"}, {"url": "https://git.kernel.org/stable/c/e9410fdd4d5f7eaa6526d8c80e83029d7c86a8e8"}, {"url": "https://git.kernel.org/stable/c/46a191ff7eeec33a2ccb2a1bfea34e18fbc5dc1a"}, {"url": "https://git.kernel.org/stable/c/68c62b3e53901846b5f68c5a8bade72a5d9c0b87"}, {"url": "https://git.kernel.org/stable/c/0ce73a0eb5a27070957b67fd74059b6da89cc516"}], "title": "can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn ems_usb_open(), the URBs for USB-in transfers are allocated, added to\nthe dev->rx_submitted anchor and submitted. In the complete callback\nems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nems_usb_close() the URBs are freed by calling\nusb_kill_anchored_urbs(&dev->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in ems_usb_close().\n\nFix the memory leak by anchoring the URB in the\nems_usb_read_bulk_callback() to the dev->rx_submitted anchor."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ncan: ems_usb: ems_usb_read_bulk_callback(): corregir fuga de memoria de URB\n\nCorregir fuga de memoria similar a la del commit 7352e1d5932a ('can: gs_usb: gs_usb_receive_bulk_callback(): corregir fuga de memoria de URB').\n\nEn ems_usb_open(), los URB para transferencias USB de entrada son asignados, a\u00f1adidos al ancla dev->rx_submitted y enviados. En la funci\u00f3n de devoluci\u00f3n de llamada completa ems_usb_read_bulk_callback(), los URB son procesados y reenviados. En ems_usb_close() los URB son liberados llamando a usb_kill_anchored_urbs(&dev->rx_submitted).\n\nSin embargo, esto no tiene en cuenta que el framework USB desancla el URB antes de que se llame a la funci\u00f3n completa. Esto significa que una vez que un URB de entrada ha sido completado, ya no est\u00e1 anclado y finalmente no es liberado en ems_usb_close().\n\nCorregir la fuga de memoria anclando el URB en la ems_usb_read_bulk_callback() al ancla dev->rx_submitted."}], "id": "CVE-2026-23058", "lastModified": "2026-04-15T00:35:42.020", "metrics": {}, "published": "2026-02-04T17:16:16.480", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0ce73a0eb5a27070957b67fd74059b6da89cc516"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/46a191ff7eeec33a2ccb2a1bfea34e18fbc5dc1a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/61e6d3674c3d1da1475dc207b3e75c55d678d18e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/68c62b3e53901846b5f68c5a8bade72a5d9c0b87"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e2c71030dc464d437110bcfb367c493fd402bddb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e9410fdd4d5f7eaa6526d8c80e83029d7c86a8e8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f48eabd15194b216030b32445f44230df95f5fe0"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak", "id": "2436788", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436788"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23058", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23058\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23058\nhttps://lore.kernel.org/linux-cve-announce/2026020414-CVE-2026-23058-802c@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T18:30:10.444198+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the commit that anchors URBs in the callback (the reference patch is in the publicly available commit list).", "If a kernel update is not immediately available, disable the eMS USB device or restrict USB access sufficient to prevent the driver from loading into the system.", "After applying a patch or disabling the driver, monitor kernel memory usage and overall system stability to ensure the memory leak has been mitigated."], "summary": {"action": "Immediate Patch", "impact": "Memory Leak \u2013 Potential Denial of Service"}, "threat_synthesis": {"affected_systems": "Any system running a Linux kernel that includes the eMS USB driver is potentially affected, regardless of distribution. The advisory does not specify a version range; only kernels that contain the unpatched code before the reference commit are at risk. Updated kernels that contain the fix commit are not vulnerable.", "description_and_impact": "The Linux kernel eMS USB driver suffers a memory leak in the URB completion callback. When an inbound USB transfer completes, the URB is unanchored by the USB subsystem before the driver\u2019s callback is invoked, so the URB is never freed unless the device is closed. The unreleased memory accumulates with each transfer, allowing a sustained leak that can exhaust kernel memory and degrade system responsiveness. The flaw maps to CWE\u2011401, a missing release of memory after its effective lifetime.", "risk_and_exploitability": "The CVSS score of 7.0 marks this issue as high severity. The EPSS score of less than 1% indicates that, at present, exploitation is unlikely outside of a targeted attack. Based on the description, the likely attack vector is local or physical access to the affected machine to attach a malicious or traffic\u2011heavy USB device that repeatedly triggers the callback. The vulnerability does not appear in the CISA KEV list. A successful exploitation could force the system into a memory\u2011starved state, effectively denying service."}}}}, "created": "2026-04-18T18:45:05.744037+00:00", "updated": "2026-04-18T18:45:05.744060+00:00", "vendors": [], "weaknesses": ["CWE-401"]}