{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23061", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.952Z", "datePublished": "2026-02-04T16:07:43.626Z", "dateUpdated": "2026-05-11T21:59:14.748Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:59:14.748Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the\nURBs for USB-in transfers are allocated, added to the dev->rx_submitted\nanchor and submitted. In the complete callback\nkvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nkvaser_usb_remove_interfaces() the URBs are freed by calling\nusb_kill_anchored_urbs(&dev->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nkvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c"], "versions": [{"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7", "lessThan": "d9d824582f2ec76459ffab449e9b05c7bc49645c", "status": "affected", "versionType": "git"}, {"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7", "lessThan": "40a3334ffda479c63e416e61ff086485e24401f7", "status": "affected", "versionType": "git"}, {"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7", "lessThan": "c1b39fa24c140bc616f51fef4175c1743e2bb132", "status": "affected", "versionType": "git"}, {"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7", "lessThan": "7c308f7530bffafa994e0aa8dc651a312f4b9ff4", "status": "affected", "versionType": "git"}, {"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7", "lessThan": "94a7fc42e21c7d9d1c49778cd1db52de5df52a01", "status": "affected", "versionType": "git"}, {"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7", "lessThan": "3b1a593eab941c3f32417896cc7df564191f2482", "status": "affected", "versionType": "git"}, {"version": "080f40a6fa28dab299da7a652e444b1e2d9231e7", "lessThan": "248e8e1a125fa875158df521b30f2cc7e27eeeaa", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c"], "versions": [{"version": "3.8", "status": "affected"}, {"version": "0", "lessThan": "3.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d9d824582f2ec76459ffab449e9b05c7bc49645c"}, {"url": "https://git.kernel.org/stable/c/40a3334ffda479c63e416e61ff086485e24401f7"}, {"url": "https://git.kernel.org/stable/c/c1b39fa24c140bc616f51fef4175c1743e2bb132"}, {"url": "https://git.kernel.org/stable/c/7c308f7530bffafa994e0aa8dc651a312f4b9ff4"}, {"url": "https://git.kernel.org/stable/c/94a7fc42e21c7d9d1c49778cd1db52de5df52a01"}, {"url": "https://git.kernel.org/stable/c/3b1a593eab941c3f32417896cc7df564191f2482"}, {"url": "https://git.kernel.org/stable/c/248e8e1a125fa875158df521b30f2cc7e27eeeaa"}], "title": "can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C1D3B462-A229-4130-A191-F09550344C59", "versionEndExcluding": "5.10.249", "versionStartIncluding": "3.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A247FBA6-BEB9-484F-B892-DD5517949CCD", "versionEndExcluding": "5.15.199", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55", "versionEndExcluding": "6.1.162", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the\nURBs for USB-in transfers are allocated, added to the dev->rx_submitted\nanchor and submitted. In the complete callback\nkvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nkvaser_usb_remove_interfaces() the URBs are freed by calling\nusb_kill_anchored_urbs(&dev->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nkvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ncan: kvaser_usb: kvaser_usb_read_bulk_callback(): corregir fuga de memoria de URB\n\nCorregir fuga de memoria similar a la del commit 7352e1d5932a ('can: gs_usb: gs_usb_receive_bulk_callback(): corregir fuga de memoria de URB').\n\nEn kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), los URB para transferencias USB de entrada se asignan, se a\u00f1aden al ancla dev->rx_submitted y se env\u00edan. En la funci\u00f3n de devoluci\u00f3n de llamada completa kvaser_usb_read_bulk_callback(), los URB se procesan y se reenv\u00edan. En kvaser_usb_remove_interfaces(), los URB se liberan llamando a usb_kill_anchored_urbs(&dev->rx_submitted).\n\nSin embargo, esto no tiene en cuenta que el framework USB desancla el URB antes de que se llame a la funci\u00f3n completa. Esto significa que una vez que un URB de entrada ha sido completado, ya no est\u00e1 anclado y finalmente no se libera en usb_kill_anchored_urbs().\n\nCorregir la fuga de memoria anclando el URB en kvaser_usb_read_bulk_callback() al ancla dev->rx_submitted."}], "id": "CVE-2026-23061", "lastModified": "2026-03-13T21:28:28.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T17:16:16.787", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/248e8e1a125fa875158df521b30f2cc7e27eeeaa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3b1a593eab941c3f32417896cc7df564191f2482"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/40a3334ffda479c63e416e61ff086485e24401f7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7c308f7530bffafa994e0aa8dc651a312f4b9ff4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/94a7fc42e21c7d9d1c49778cd1db52de5df52a01"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c1b39fa24c140bc616f51fef4175c1743e2bb132"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d9d824582f2ec76459ffab449e9b05c7bc49645c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak", "id": "2436756", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436756"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23061", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23061\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23061\nhttps://lore.kernel.org/linux-cve-announce/2026020415-CVE-2026-23061-31be@gregkh/T"], "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-17T23:42:43.625311+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the committed fix for the kvaser_usb memory leak (kernel version newer than the 6.19 release candidates before the patch).", "If an upgrade is not immediately possible, unload the kvaser_usb driver or prevent it from binding to untrusted USB CAN devices to stop further URB creation.", "Regularly monitor kernel memory usage and system logs for signs of excessive URB allocation, and consider disabling high\u2011traffic USB deployments until a patch is available."], "summary": {"action": "Patch", "impact": "Memory Leak"}, "threat_synthesis": {"affected_systems": "All Linux kernel versions that include the kvaser_usb driver are affected, including the 6.19 release candidates cited in the CPE entries. The issue exists in any kernel that ships the unpatched code, regardless of the specific patch level beyond the ones listed.", "description_and_impact": "The vulnerability in the Linux kernel\u2019s kvaser_usb driver allows unanchored USB Request Blocks (URBs) to persist after completion, causing a memory leak. Over time this leak can consume kernel memory, potentially leading to resource exhaustion and a crash or degraded system performance. The flaw is a classic memory management weakness (CWE\u2011401).", "risk_and_exploitability": "The CVSS score of 5.5 indicates a medium risk, but the EPSS score of less than 1% suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Inferred attack scenarios involve a malicious or improperly configured USB CAN device that repeatedly triggers high\u2011frequency transfers, creating the circumstances for the URB memory leak. The attack requires physical or remote control over a USB subsystem that loads the kvaser_usb driver, and it can result in a denial of service rather than code execution or privilege escalation."}}}}, "created": "2026-04-17T23:45:25.813476+00:00", "updated": "2026-04-17T23:45:25.813486+00:00", "vendors": []}