CVE-2026-23037

Vulnerability

In the Linux kernel's ETAS ES58X CAN driver, the function es58x_alloc_rx_urbs() fails to properly handle partial URB allocation. When the function cannot allocate the requested number of URBs but succeeds in allocating some, it returns an error code instead of proceeding with the allocated URBs. The caller es58x_open() then exits early, skipping the cleanup label free_urbs, which leaves the already-allocated URBs anchored and never freed — causing a memory leak [1] [2].

Attack

Vector and Prerequisites

This flaw is triggered during the normal operation of the CAN interface; specifically when the system runs low on memory or dma-buffer resources, causing the URB allocation to partially fail. An attacker does not need special privileges to trigger this, as the bug is exposed through standard network interface control (e.g., bringing a CAN interface up and down). No authentication is required beyond the ability to open the CAN device, which typically requires root or CAP_NET_ADMIN. The attack surface is local; the bug does not require physical access if an unprivileged process can toggle the interface [3] [4].

Impact

An attacker who can repeatedly bring the CAN interface up and down under memory pressure can cause a kernel memory leak, slowly exhausting system memory and potentially leading to a denial-of-service condition. The leaked URBs remain attached to the USB subsystem are not released until the driver is unloaded or the system is rebooted, making the leak persistent across interface state changes [1] [2].

Mitigation

The fix modifies es58x_alloc_rx_urbs() to return 0 if at least one URB has been allocated, allowing the driver to continue with fewer URBs — which the driver is designed to handle gracefully. This restores the intended behavior and prevents the leak. The patch has been applied to the Linux kernel stable trees [1] [2] [3] [4]. Users should update their kernel to a version containing the fix.