CVE-2026-23031
Description
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
In gs_can_open(), the URBs for USB-in transfers are allocated, added to the parent->rx_submitted anchor and submitted. In the complete callback gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In gs_can_close() the URBs are freed by calling usb_kill_anchored_urbs(parent->rx_submitted).
However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in gs_can_close().
Fix the memory leak by anchoring the URB in the gs_usb_receive_bulk_callback() to the parent->rx_submitted anchor.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A URB memory leak in the Linux kernel's gs_usb CAN driver allows local attackers to exhaust kernel memory by repeatedly opening and closing the device.
Vulnerability
Description
The gs_usb driver for USB CAN adapters contains a memory leak in its URB (USB Request Block) management. In gs_can_open(), URBs for USB-in transfers are allocated, anchored to parent->rx_submitted, and submitted. When each URB completes, the USB framework unanchors it before invoking the callback gs_usb_receive_bulk_callback(). However, the callback does not re-anchor the URB, so it becomes detached. Subsequently, gs_can_close() frees only anchored URBs via usb_kill_anchored_urbs(), leaving completed URBs unfreed.
Exploitation
An attacker with local access and the ability to open and close the CAN device repeatedly can trigger the leak. Each cycle of opening and closing causes completed URBs to accumulate without being freed, progressively consuming kernel memory. No special privileges beyond access to the CAN device are required, as the driver is typically accessible to unprivileged users through the can subsystem.
Impact
The memory leak can lead to kernel memory exhaustion over time, resulting in system instability or denial of service (DoS). In extreme cases, the system may become unresponsive or crash due to inability to allocate memory for other processes.
Mitigation
The vulnerability is fixed in Linux kernel stable releases that include the commit re-anchoring the URB in the callback. Users should update to a patched kernel version. No workaround is available for systems that cannot be updated.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/08624b7206ddb9148eeffc2384ebda2c47b6d1e9nvd
- git.kernel.org/stable/c/7352e1d5932a0e777e39fa4b619801191f57e603nvd
- git.kernel.org/stable/c/9c151898cc259a7784be60ba38664f42ede39b31nvd
- git.kernel.org/stable/c/9f669a38ca70839229b7ba0f851820850a2fe1f7nvd
- git.kernel.org/stable/c/ec5ccc2af9e5b045671f3f604b57512feda8bcc5nvd
- git.kernel.org/stable/c/f905bcfa971edb89e398c98957838d8c6381c0c7nvd
News mentions
0No linked articles in our index yet.