{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23324", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.996Z", "datePublished": "2026-03-25T10:27:17.476Z", "dateUpdated": "2026-05-11T22:04:39.706Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:04:39.706Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: usb: etas_es58x: correctly anchor the urb in the read bulk callback\n\nWhen submitting an urb, that is using the anchor pattern, it needs to be\nanchored before submitting it otherwise it could be leaked if\nusb_kill_anchored_urbs() is called. This logic is correctly done\nelsewhere in the driver, except in the read bulk callback so do that\nhere also."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/etas_es58x/es58x_core.c"], "versions": [{"version": "8537257874e949a59c834cecfd5a063e11b64b0b", "lessThan": "7a0171b4921ad443fee5ed4fcb9d99fa4776edac", "status": "affected", "versionType": "git"}, {"version": "8537257874e949a59c834cecfd5a063e11b64b0b", "lessThan": "2185ea6e4ebcb61d1224dc7d187c59723cb5ad59", "status": "affected", "versionType": "git"}, {"version": "8537257874e949a59c834cecfd5a063e11b64b0b", "lessThan": "f6e90c113c92e83fc0963d5e60e16b0e8a268981", "status": "affected", "versionType": "git"}, {"version": "8537257874e949a59c834cecfd5a063e11b64b0b", "lessThan": "b878444519fa03a3edd287d1963cf79ef78be2f1", "status": "affected", "versionType": "git"}, {"version": "8537257874e949a59c834cecfd5a063e11b64b0b", "lessThan": "18eee279e9b5bff0db1aca9475ae4bc12804f05c", "status": "affected", "versionType": "git"}, {"version": "8537257874e949a59c834cecfd5a063e11b64b0b", "lessThan": "b8f9ca88253574638bcff38900a4c28d570b1919", "status": "affected", "versionType": "git"}, {"version": "8537257874e949a59c834cecfd5a063e11b64b0b", "lessThan": "5eaad4f768266f1f17e01232ffe2ef009f8129b7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/etas_es58x/es58x_core.c"], "versions": [{"version": "5.13", "status": "affected"}, {"version": "0", "lessThan": "5.13", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7a0171b4921ad443fee5ed4fcb9d99fa4776edac"}, {"url": "https://git.kernel.org/stable/c/2185ea6e4ebcb61d1224dc7d187c59723cb5ad59"}, {"url": "https://git.kernel.org/stable/c/f6e90c113c92e83fc0963d5e60e16b0e8a268981"}, {"url": "https://git.kernel.org/stable/c/b878444519fa03a3edd287d1963cf79ef78be2f1"}, {"url": "https://git.kernel.org/stable/c/18eee279e9b5bff0db1aca9475ae4bc12804f05c"}, {"url": "https://git.kernel.org/stable/c/b8f9ca88253574638bcff38900a4c28d570b1919"}, {"url": "https://git.kernel.org/stable/c/5eaad4f768266f1f17e01232ffe2ef009f8129b7"}], "title": "can: usb: etas_es58x: correctly anchor the urb in the read bulk callback", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC3F58C6-09EC-41E6-8E82-613F5965C0DB", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.13.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43", "versionEndExcluding": "6.1.167", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5", "versionEndExcluding": "6.12.77", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:-:*:*:*:*:*:*", "matchCriteriaId": "8F0E7012-0BA3-4E6A-ADE9-57973CBDEE28", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: usb: etas_es58x: correctly anchor the urb in the read bulk callback\n\nWhen submitting an urb, that is using the anchor pattern, it needs to be\nanchored before submitting it otherwise it could be leaked if\nusb_kill_anchored_urbs() is called. This logic is correctly done\nelsewhere in the driver, except in the read bulk callback so do that\nhere also."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ncan: usb: etas_es58x: anclar correctamente el urb en la funci\u00f3n de devoluci\u00f3n de llamada de lectura masiva\n\nAl enviar un urb, que est\u00e1 usando el patr\u00f3n de anclaje, necesita ser anclado antes de enviarlo, de lo contrario, podr\u00eda filtrarse si se llama a usb_kill_anchored_urbs(). Esta l\u00f3gica se realiza correctamente en otras partes del controlador, excepto en la funci\u00f3n de devoluci\u00f3n de llamada de lectura masiva, as\u00ed que hazlo aqu\u00ed tambi\u00e9n."}], "id": "CVE-2026-23324", "lastModified": "2026-04-23T21:05:15.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T11:16:29.377", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/18eee279e9b5bff0db1aca9475ae4bc12804f05c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2185ea6e4ebcb61d1224dc7d187c59723cb5ad59"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5eaad4f768266f1f17e01232ffe2ef009f8129b7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7a0171b4921ad443fee5ed4fcb9d99fa4776edac"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b878444519fa03a3edd287d1963cf79ef78be2f1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b8f9ca88253574638bcff38900a4c28d570b1919"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f6e90c113c92e83fc0963d5e60e16b0e8a268981"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: can: usb: etas_es58x: correctly anchor the urb in the read bulk callback", "id": "2451214", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451214"}, "csaw": false, "cwe": "CWE-772", "details": ["A flaw was found in the Linux kernel's etas_es58x USB CAN bus driver. The driver fails to correctly anchor the USB Request Block (urb) in the read bulk callback. This oversight can lead to a memory leak if usb_kill_anchored_urbs() is called without the urb being properly anchored. The continuous leakage of memory could result in system instability or a Denial of Service (DoS)."], "name": "CVE-2026-23324", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23324\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23324\nhttps://lore.kernel.org/linux-cve-announce/2026032531-CVE-2026-23324-bc9e@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8537257874e949a59c834cecfd5a063e11b64b0b,2185ea6e4ebcb61d1224dc7d187c59723cb5ad59)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8537257874e949a59c834cecfd5a063e11b64b0b,f6e90c113c92e83fc0963d5e60e16b0e8a268981)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8537257874e949a59c834cecfd5a063e11b64b0b,b878444519fa03a3edd287d1963cf79ef78be2f1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8537257874e949a59c834cecfd5a063e11b64b0b,18eee279e9b5bff0db1aca9475ae4bc12804f05c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8537257874e949a59c834cecfd5a063e11b64b0b,b8f9ca88253574638bcff38900a4c28d570b1919)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8537257874e949a59c834cecfd5a063e11b64b0b,5eaad4f768266f1f17e01232ffe2ef009f8129b7)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.13"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.13)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T00:44:27.883926+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that contains the commit anchoring the URB in the read bulk callback.", "If an immediate kernel upgrade is not possible, disable or remove the etas_es58x driver module to eliminate the vulnerability.", "Continuously monitor logs for usb_kill_anchored_urbs activity and for signs of memory exhaustion that could indicate exploitation."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the etas_es58x USB driver and have not applied the fix are affected. The vulnerable code is present in kernel versions preceding the commit that introduced the anchor logic; relevant releases include 5.13 and the 7.0 development releases (RC1 through RC7).", "description_and_impact": "The flaw is in the Linux kernel USB driver for etas_es58x. When an URB that should be anchored is processed in the read bulk callback, it is not anchored before submission. If usb_kill_anchored_urbs is later invoked, the URB can be leaked, causing an unreleased kernel resource. This improper release leads to a resource leak that could allow an attacker to consume kernel memory or other resources until the system becomes unresponsive. The vulnerability corresponds to CWE-772: Improper Release of Resource after Effective Lifetime.", "risk_and_exploitability": "The CVSS score of 5.5 indicates a medium severity vulnerability. The EPSS score is below 1\u202f%, and the issue is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation. Based on the description, it is inferred that the attack vector would be local and would require an attacker to interact with the USB device to trigger the read bulk callback, which may be achievable by plugging a malicious device or by compromising the host."}}}}, "created": "2026-03-25T21:27:37.090003+00:00", "title": "Linux Kernel USB Driver Anchor Bug Causing Possible Resource Leak", "updated": "2026-04-29T00:45:26.174139+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}