{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23075", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.958Z", "datePublished": "2026-02-04T16:08:00.169Z", "dateUpdated": "2026-05-11T21:59:31.107Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:59:31.107Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn esd_usb_open(), the URBs for USB-in transfers are allocated, added to\nthe dev->rx_submitted anchor and submitted. In the complete callback\nesd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nesd_usb_close() the URBs are freed by calling\nusb_kill_anchored_urbs(&dev->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in esd_usb_close().\n\nFix the memory leak by anchoring the URB in the\nesd_usb_read_bulk_callback() to the dev->rx_submitted anchor."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/esd_usb.c"], "versions": [{"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1", "lessThan": "93b34d4ba7266030801a509c088ac77c0d7a12e9", "status": "affected", "versionType": "git"}, {"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1", "lessThan": "dc934d96673992af8568664c1b58e13eb164010d", "status": "affected", "versionType": "git"}, {"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1", "lessThan": "92d26ce07ac3b7a850dc68c8d73d487b39c39b33", "status": "affected", "versionType": "git"}, {"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1", "lessThan": "adec5e1f9c99fe079ec4c92cca3f1109a3e257c3", "status": "affected", "versionType": "git"}, {"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1", "lessThan": "9d1807b442fc3286b204f8e59981b10e743533ce", "status": "affected", "versionType": "git"}, {"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1", "lessThan": "a9503ae43256e80db5cba9d449b238607164c51d", "status": "affected", "versionType": "git"}, {"version": "96d8e90382dc336b5de401164597edfdc2e8d9f1", "lessThan": "5a4391bdc6c8357242f62f22069c865b792406b3", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/esd_usb.c"], "versions": [{"version": "2.6.36", "status": "affected"}, {"version": "0", "lessThan": "2.6.36", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.36", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/93b34d4ba7266030801a509c088ac77c0d7a12e9"}, {"url": "https://git.kernel.org/stable/c/dc934d96673992af8568664c1b58e13eb164010d"}, {"url": "https://git.kernel.org/stable/c/92d26ce07ac3b7a850dc68c8d73d487b39c39b33"}, {"url": "https://git.kernel.org/stable/c/adec5e1f9c99fe079ec4c92cca3f1109a3e257c3"}, {"url": "https://git.kernel.org/stable/c/9d1807b442fc3286b204f8e59981b10e743533ce"}, {"url": "https://git.kernel.org/stable/c/a9503ae43256e80db5cba9d449b238607164c51d"}, {"url": "https://git.kernel.org/stable/c/5a4391bdc6c8357242f62f22069c865b792406b3"}], "title": "can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C2DE327-F70B-4781-9BFB-65F2DF43660F", "versionEndExcluding": "5.10.249", "versionStartIncluding": "2.6.36", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A247FBA6-BEB9-484F-B892-DD5517949CCD", "versionEndExcluding": "5.15.199", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55", "versionEndExcluding": "6.1.162", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn esd_usb_open(), the URBs for USB-in transfers are allocated, added to\nthe dev->rx_submitted anchor and submitted. In the complete callback\nesd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nesd_usb_close() the URBs are freed by calling\nusb_kill_anchored_urbs(&dev->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in esd_usb_close().\n\nFix the memory leak by anchoring the URB in the\nesd_usb_read_bulk_callback() to the dev->rx_submitted anchor."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ncan: esd_usb: esd_usb_read_bulk_callback(): corregir fuga de memoria de URB\n\nCorregir fuga de memoria similar a la del commit 7352e1d5932a ('can: gs_usb: gs_usb_receive_bulk_callback(): corregir fuga de memoria de URB').\n\nEn esd_usb_open(), los URB para transferencias USB de entrada son asignados, a\u00f1adidos al ancla dev->rx_submitted y enviados. En la funci\u00f3n de devoluci\u00f3n de llamada completa esd_usb_read_bulk_callback(), los URB son procesados y reenviados. En esd_usb_close(), los URB son liberados llamando a usb_kill_anchored_urbs(&dev->rx_submitted).\n\nSin embargo, esto no tiene en cuenta que el framework USB desancla el URB antes de que se llame a la funci\u00f3n completa. Esto significa que una vez que un URB de entrada ha sido completado, ya no est\u00e1 anclado y finalmente no es liberado en esd_usb_close().\n\nCorregir la fuga de memoria anclando el URB en esd_usb_read_bulk_callback() al ancla dev->rx_submitted."}], "id": "CVE-2026-23075", "lastModified": "2026-03-18T17:16:12.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T17:16:18.227", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5a4391bdc6c8357242f62f22069c865b792406b3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/92d26ce07ac3b7a850dc68c8d73d487b39c39b33"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/93b34d4ba7266030801a509c088ac77c0d7a12e9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9d1807b442fc3286b204f8e59981b10e743533ce"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a9503ae43256e80db5cba9d449b238607164c51d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/adec5e1f9c99fe079ec4c92cca3f1109a3e257c3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/dc934d96673992af8568664c1b58e13eb164010d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak", "id": "2436803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436803"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23075", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23075\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23075\nhttps://lore.kernel.org/linux-cve-announce/2026020419-CVE-2026-23075-0aef@gregkh/T"]}

{"analysis": {"en": {"generated_at": "2026-04-18T18:29:12.134628+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that incorporates the esd_usb memory\u2011leak fix (e.g., the commit referenced in the advisory).", "Restart the system or reload the esd_usb module to ensure the new code takes effect.", "Limit physical and user access to USB ESD devices and monitor memory usage to detect persistent leaks."], "summary": {"action": "Patch", "impact": "Denial of Service via memory exhaustion from a USB driver's URB leak"}, "threat_synthesis": {"affected_systems": "The flaw exists in the esd_usb driver of the Linux kernel, which handles CAN-over-USB. The driver is included in all kernel versions beginning with the 6.19 release candidates, but the exact versions are not specified by the CNA. Systems running these kernels without the fix are susceptible.", "description_and_impact": "The Linux kernel esd_usb driver can leak memory when completed USB read requests are not properly anchored, causing unused URBs to remain allocated and eventually exhausting RAM. This vulnerability does not directly facilitate arbitrary code execution or data disclosure, but it can degrade system stability and availability by leading to a local denial\u2011of\u2011service condition. The weakness is classified as a memory leak (CWE-401).", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity. EPSS data shows a probability of exploitability below 1%, meaning the likelihood of real\u2011world exploitation is low, and the vulnerability is not in the CISA KEV catalog. The attack vector is inferred to be local: an attacker with physical or administrative access to a USB ESD device must succeed. Exploitation requires the driver to process USB read traffic enough to accumulate unreleased URBs; no privilege escalation or remote code theft is involved."}}}}, "created": "2026-04-18T18:30:07.293763+00:00", "updated": "2026-04-18T18:30:07.293774+00:00", "vendors": []}