{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23080", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.959Z", "datePublished": "2026-02-04T16:08:04.982Z", "dateUpdated": "2026-05-11T21:59:36.827Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:59:36.827Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are\nallocated, added to the priv->rx_submitted anchor and submitted. In the\ncomplete callback mcba_usb_read_bulk_callback(), the URBs are processed and\nresubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by\ncalling usb_kill_anchored_urbs(&priv->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nmcba_usb_read_bulk_callback()to the priv->rx_submitted anchor."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/mcba_usb.c"], "versions": [{"version": "51f3baad7de943780ce0c17bd7975df567dd6e14", "lessThan": "8b34c611a4feb81921bc4728c091e4e3ba0270c0", "status": "affected", "versionType": "git"}, {"version": "51f3baad7de943780ce0c17bd7975df567dd6e14", "lessThan": "b5a1ccdc63b71d93a69a6b72f7a3f3934293ea60", "status": "affected", "versionType": "git"}, {"version": "51f3baad7de943780ce0c17bd7975df567dd6e14", "lessThan": "59153b6388e05609144ad56a9b354e9100a91983", "status": "affected", "versionType": "git"}, {"version": "51f3baad7de943780ce0c17bd7975df567dd6e14", "lessThan": "179f6f0cf5ae489743273b7c1644324c0c477ea9", "status": "affected", "versionType": "git"}, {"version": "51f3baad7de943780ce0c17bd7975df567dd6e14", "lessThan": "94c9f6f7b953f6382fef4bdc48c046b861b8868f", "status": "affected", "versionType": "git"}, {"version": "51f3baad7de943780ce0c17bd7975df567dd6e14", "lessThan": "d374d715e338dfc3804aaa006fa6e470ffebb264", "status": "affected", "versionType": "git"}, {"version": "51f3baad7de943780ce0c17bd7975df567dd6e14", "lessThan": "710a7529fb13c5a470258ff5508ed3c498d54729", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/mcba_usb.c"], "versions": [{"version": "4.12", "status": "affected"}, {"version": "0", "lessThan": "4.12", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/8b34c611a4feb81921bc4728c091e4e3ba0270c0"}, {"url": "https://git.kernel.org/stable/c/b5a1ccdc63b71d93a69a6b72f7a3f3934293ea60"}, {"url": "https://git.kernel.org/stable/c/59153b6388e05609144ad56a9b354e9100a91983"}, {"url": "https://git.kernel.org/stable/c/179f6f0cf5ae489743273b7c1644324c0c477ea9"}, {"url": "https://git.kernel.org/stable/c/94c9f6f7b953f6382fef4bdc48c046b861b8868f"}, {"url": "https://git.kernel.org/stable/c/d374d715e338dfc3804aaa006fa6e470ffebb264"}, {"url": "https://git.kernel.org/stable/c/710a7529fb13c5a470258ff5508ed3c498d54729"}], "title": "can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B2F1303-C14D-45B0-BA87-F552F8C544A7", "versionEndExcluding": "5.10.249", "versionStartIncluding": "4.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A247FBA6-BEB9-484F-B892-DD5517949CCD", "versionEndExcluding": "5.15.199", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55", "versionEndExcluding": "6.1.162", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are\nallocated, added to the priv->rx_submitted anchor and submitted. In the\ncomplete callback mcba_usb_read_bulk_callback(), the URBs are processed and\nresubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by\ncalling usb_kill_anchored_urbs(&priv->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nmcba_usb_read_bulk_callback()to the priv->rx_submitted anchor."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ncan: mcba_usb: mcba_usb_read_bulk_callback(): corrige la fuga de memoria de URB\n\nCorrige una fuga de memoria similar a la del commit 7352e1d5932a ('can: gs_usb: gs_usb_receive_bulk_callback(): corrige la fuga de memoria de URB').\n\nEn mcba_usb_probe() -> mcba_usb_start(), los URB para transferencias USB de entrada se asignan, se a\u00f1aden al ancla priv->rx_submitted y se env\u00edan. En la funci\u00f3n de callback de completado mcba_usb_read_bulk_callback(), los URB se procesan y se reenv\u00edan. En mcba_usb_close() -> mcba_urb_unlink(), los URB se liberan llamando a usb_kill_anchored_urbs(&priv->rx_submitted).\n\nSin embargo, esto no tiene en cuenta que el framework USB desancla el URB antes de que se llame a la funci\u00f3n de completado. Esto significa que una vez que un URB de entrada ha sido completado, ya no est\u00e1 anclado y finalmente no se libera en usb_kill_anchored_urbs().\n\nCorrige la fuga de memoria anclando el URB en mcba_usb_read_bulk_callback() al ancla priv->rx_submitted."}], "id": "CVE-2026-23080", "lastModified": "2026-03-18T13:48:13.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T17:16:18.750", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/179f6f0cf5ae489743273b7c1644324c0c477ea9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/59153b6388e05609144ad56a9b354e9100a91983"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/710a7529fb13c5a470258ff5508ed3c498d54729"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8b34c611a4feb81921bc4728c091e4e3ba0270c0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/94c9f6f7b953f6382fef4bdc48c046b861b8868f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b5a1ccdc63b71d93a69a6b72f7a3f3934293ea60"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d374d715e338dfc3804aaa006fa6e470ffebb264"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak", "id": "2436774", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436774"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23080", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23080\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23080\nhttps://lore.kernel.org/linux-cve-announce/2026020421-CVE-2026-23080-74d1@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T13:53:16.309371+00:00", "value": {"mitigation_remediation": ["Apply a kernel patch that anchors URBs in the read bulk callback, thereby eliminating the memory leak, as the referenced commits describe.", "If an immediate patch is unavailable, consider disabling the mcba_usb driver or limiting USB traffic to the MACB CAN interface until the fix can be applied.", "Implement strict device filtering or authentication for USB devices that can drive the MACB CAN interface to reduce the risk of accidental or malicious traffic."], "summary": {"action": "Monitor", "impact": "memory exhaustion leading to possible denial of service via memory leak"}, "threat_synthesis": {"affected_systems": "The flaw affects all Linux kernel releases that ship the mcba_usb subsystem and that have not yet incorporated the anchoring fix. The relevant CPE entries include the generic linux:linux_kernel family as well as the 6.19 release candidates (rc1 through rc6). Users should verify that their running kernel version appears in those CPE listings and the change is not yet applied.", "description_and_impact": "The vulnerability is a memory\u2011allocation fault in the Linux CAN MACB USB driver. When a USB inbound transfer completes, the USB framework unanchors the endpoint request block (URB) before the driver\u2019s complete callback processes it. The callback then attempts to free the URB via usb_kill_anchored_urbs, which only releases anchored URBs. Because the URB had already been unanchored, it is never freed, and each completed transfer leaves an orphaned object in kernel memory. Accumulation of such stray URBs can exhaust kernel memory and lead to a denial\u2011of\u2011service condition. This is a classic memory\u2011leak weakness identified by CWE\u2011401.", "risk_and_exploitability": "The CVSS score of 5.5 categorises the issue as moderate severity, while the EPSS score of less than 1\u202f% indicates a very low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. Exploitation would require an attacker to generate sustained USB traffic through a MACB CAN device that is in use. The need for persistent traffic from a device attached to the compromised host is inferred from the description; no remote code execution or privilege escalation is described."}}}}, "created": "2026-04-18T14:00:02.184005+00:00", "updated": "2026-04-18T14:00:02.184020+00:00", "vendors": []}