CVE-2025-68343
Description
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header
The driver expects to receive a struct gs_host_frame in gs_usb_receive_bulk_callback().
Use struct_group to describe the header of the struct gs_host_frame and check that we have at least received the header before accessing any members of it.
To resubmit the URB, do not dereference the pointer chain "dev->parent->hf_size_rx" but use "parent->hf_size_rx" instead. Since "urb->context" contains "parent", it is always defined, while "dev" is not defined if the URB it too short.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insufficient length check in Linux kernel gs_usb CAN driver leads to potential memory access violation.
Vulnerability
In the Linux kernel's gs_usb CAN driver, the function gs_usb_receive_bulk_callback() did not verify that the received URB's actual_length was at least the size of the header of struct gs_host_frame before accessing its members. This missing length check could allow an attacker to trigger an out-of-bounds read if a short URB is received [1][2][3][4].
Exploitation
An attacker with physical or local USB access to a system using a gs_usb-based CAN adapter could craft a malicious USB device that sends a URB with insufficient length. No authentication is required, and the attack can be launched from a compromised or custom CAN adapter connected to the USB port.
Impact
Successful exploitation could lead to information disclosure (reading kernel memory) or a system crash (denial of service), as the driver may access memory beyond the received data [1][2][3][4].
Mitigation
The fix introduces a struct_group to define the header and adds a check that the received data is at least the header size before accessing members. Additionally, the code now uses parent->hf_size_rx instead of the unsafe dev->parent->hf_size_rx to avoid a NULL pointer dereference when the URB is short. Patches are available in the stable kernel trees [1][2][3][4]. Users should update to a kernel version containing these commits.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/18cbce43363c9f84b90a92d57df341155eee0697nvd
- git.kernel.org/stable/c/3433680b759646efcacc64fe36aa2e51ae34b8f0nvd
- git.kernel.org/stable/c/616eee3e895b8ca0028163fcb1dce5e3e9dea322nvd
- git.kernel.org/stable/c/6fe9f3279f7d2518439a7962c5870c6e9ecbadcfnvd
- git.kernel.org/stable/c/f31693dc3a584c0ad3937e857b59dbc1a7ed2b87nvd
News mentions
0No linked articles in our index yet.