{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23108", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.967Z", "datePublished": "2026-02-04T16:08:28.650Z", "dateUpdated": "2026-05-11T22:00:16.739Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:00:16.739Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are\nallocated, added to the priv->rx_submitted anchor and submitted. In the\ncomplete callback usb_8dev_read_bulk_callback(), the URBs are processed and\nresubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by\ncalling usb_kill_anchored_urbs(&priv->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nusb_8dev_read_bulk_callback() to the priv->rx_submitted anchor."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/usb_8dev.c"], "versions": [{"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c", "lessThan": "feb8243eaea7efd5279b19667d7189fd8654c87a", "status": "affected", "versionType": "git"}, {"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c", "lessThan": "ef6e608e5ee71eca0cd3475c737e684cef24f240", "status": "affected", "versionType": "git"}, {"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c", "lessThan": "60719661b4cbd7ffbed1a0e0fa3bbc82d8bd2be9", "status": "affected", "versionType": "git"}, {"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c", "lessThan": "59ff56992bba28051ad67cd8cc7b0edfe7280796", "status": "affected", "versionType": "git"}, {"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c", "lessThan": "ea4a98e924164586066b39f29bfcc7cc9da108cd", "status": "affected", "versionType": "git"}, {"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c", "lessThan": "07e9373739c6388af9d99797cdb2e79dbbcbe92b", "status": "affected", "versionType": "git"}, {"version": "0024d8ad1639e32d717445c69ca813fd19c2a91c", "lessThan": "f7a980b3b8f80fe367f679da376cf76e800f9480", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/usb_8dev.c"], "versions": [{"version": "3.9", "status": "affected"}, {"version": "0", "lessThan": "3.9", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.9", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/feb8243eaea7efd5279b19667d7189fd8654c87a"}, {"url": "https://git.kernel.org/stable/c/ef6e608e5ee71eca0cd3475c737e684cef24f240"}, {"url": "https://git.kernel.org/stable/c/60719661b4cbd7ffbed1a0e0fa3bbc82d8bd2be9"}, {"url": "https://git.kernel.org/stable/c/59ff56992bba28051ad67cd8cc7b0edfe7280796"}, {"url": "https://git.kernel.org/stable/c/ea4a98e924164586066b39f29bfcc7cc9da108cd"}, {"url": "https://git.kernel.org/stable/c/07e9373739c6388af9d99797cdb2e79dbbcbe92b"}, {"url": "https://git.kernel.org/stable/c/f7a980b3b8f80fe367f679da376cf76e800f9480"}], "title": "can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0DA926F9-DB52-45D7-A34F-F18540B9BD53", "versionEndExcluding": "5.10.249", "versionStartIncluding": "3.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A247FBA6-BEB9-484F-B892-DD5517949CCD", "versionEndExcluding": "5.15.199", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55", "versionEndExcluding": "6.1.162", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are\nallocated, added to the priv->rx_submitted anchor and submitted. In the\ncomplete callback usb_8dev_read_bulk_callback(), the URBs are processed and\nresubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by\ncalling usb_kill_anchored_urbs(&priv->rx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nusb_8dev_read_bulk_callback() to the priv->rx_submitted anchor."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ncan: usb_8dev: usb_8dev_read_bulk_callback(): corregir fuga de memoria de URB\n\nCorrige una fuga de memoria similar a la del commit 7352e1d5932a ('can: gs_usb: gs_usb_receive_bulk_callback(): corregir fuga de memoria de URB').\n\nEn usb_8dev_open() -> usb_8dev_start(), los URB para transferencias USB de entrada se asignan, se a\u00f1aden al ancla priv->rx_submitted y se env\u00edan. En la funci\u00f3n de devoluci\u00f3n de llamada completa usb_8dev_read_bulk_callback(), los URB se procesan y se reenv\u00edan. En usb_8dev_close() -> unlink_all_urbs(), los URB se liberan llamando a usb_kill_anchored_urbs(&priv->rx_submitted).\n\nSin embargo, esto no tiene en cuenta que el framework USB desancla el URB antes de que se llame a la funci\u00f3n completa. Esto significa que una vez que un URB de entrada ha sido completado, ya no est\u00e1 anclado y finalmente no se libera en usb_kill_anchored_urbs().\n\nCorrige la fuga de memoria anclando el URB en usb_8dev_read_bulk_callback() al ancla priv->rx_submitted."}], "id": "CVE-2026-23108", "lastModified": "2026-03-18T17:12:48.823", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T17:16:21.673", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/07e9373739c6388af9d99797cdb2e79dbbcbe92b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/59ff56992bba28051ad67cd8cc7b0edfe7280796"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/60719661b4cbd7ffbed1a0e0fa3bbc82d8bd2be9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ea4a98e924164586066b39f29bfcc7cc9da108cd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ef6e608e5ee71eca0cd3475c737e684cef24f240"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f7a980b3b8f80fe367f679da376cf76e800f9480"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/feb8243eaea7efd5279b19667d7189fd8654c87a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak", "id": "2436830", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436830"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23108", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23108\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23108\nhttps://lore.kernel.org/linux-cve-announce/2026020431-CVE-2026-23108-0550@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T18:26:26.585167+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the patch to anchor URBs in the usb_8dev driver (for example, upgrade to 6.19 rc7 or later).", "Upgrade the entire kernel stack to a fixed release if a later 6.19 version is unavailable.", "If an upgrade is not immediately possible, disable the usb_8dev driver or disconnect the USB CAN device to prevent the leak from occurring."], "summary": {"action": "Patch", "impact": "Memory Leak"}, "threat_synthesis": {"affected_systems": "The issue is present in the Linux kernel, specifically in the 6.19 release candidate series (rc1 through rc6). Any installations using these kernel versions could be affected if the usb_8dev driver is loaded and used for CAN over USB devices.", "description_and_impact": "The vulnerability stems from the kernel USB driver for the 8dev CAN device not anchoring URBs in the read bulk callback, causing the URBs to remain unfreed after completion. The unfreed URBs create a memory leak; the CVE description does not specify any resulting system effects such as degraded performance or kernel panic. The weakness is a classic memory corruption flaw (CWE-401).", "risk_and_exploitability": "The CVSS score is 5.5, indicating moderate severity, while the EPSS score is below 1%, demonstrating a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The exact attack vector is not specified in the CVE, but it might involve interaction with the USB subsystem, possibly requiring a malicious USB device."}}}}, "created": "2026-04-18T18:30:07.291791+00:00", "updated": "2026-04-18T18:30:07.291862+00:00", "vendors": []}