CVE-2026-23058
Description
In the Linux kernel, the following vulnerability has been resolved:
can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak").
In ems_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In ems_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted).
However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in ems_usb_close().
Fix the memory leak by anchoring the URB in the ems_usb_read_bulk_callback() to the dev->rx_submitted anchor.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-23058 fixes a URB memory leak in the Linux kernel's EMS USB CAN driver, where completed URBs were not freed when the device was closed.
Vulnerability
This vulnerability is a memory leak in the Linux kernel's ems_usb CAN driver, specifically in the ems_usb_read_bulk_callback() function [1]. The root cause is a mismatch between how USB request blocks (URBs) are managed during device open and close. In ems_usb_open(), URBs for USB-in transfers are allocated, anchored to the dev->rx_submitted anchor list, and submitted. When the device is closed via ems_usb_close(), the kernel calls usb_kill_anchored_urbs(&dev->rx_submitted), which is intended to free all anchored URBs. However, the USB framework unanchors a URB before its completion callback is invoked. This means that once a URB completes, it is removed from the anchor list, and ems_usb_close() no longer sees it, failing to free it.
Exploitation
To exploit this memory leak, an attacker would need local access to the system and the ability to repeatedly open and close the CAN interface [1]. This causes a continuous loss of memory as URBs are allocated but not freed. No additional privileges or special hardware beyond the EMS USB CAN device are required, though the system must have the vulnerable driver loaded.
Impact
The primary impact is a denial of service through memory exhaustion [1]. Over time, the unreleased URBs accumulate, consuming kernel memory and potentially leading to system instability or crashes. The attacker gains no code execution or privilege escalation.
Mitigation
A fix has been applied in the Linux kernel [2][3]. The patch re-anchors the URB in the ems_usb_read_bulk_callback() function, ensuring it remains on the anchor list and is properly freed when the device is closed. Users should update to a patched kernel version. No workaround is available without a kernel update.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/0ce73a0eb5a27070957b67fd74059b6da89cc516nvd
- git.kernel.org/stable/c/46a191ff7eeec33a2ccb2a1bfea34e18fbc5dc1anvd
- git.kernel.org/stable/c/61e6d3674c3d1da1475dc207b3e75c55d678d18envd
- git.kernel.org/stable/c/68c62b3e53901846b5f68c5a8bade72a5d9c0b87nvd
- git.kernel.org/stable/c/e2c71030dc464d437110bcfb367c493fd402bddbnvd
- git.kernel.org/stable/c/e9410fdd4d5f7eaa6526d8c80e83029d7c86a8e8nvd
- git.kernel.org/stable/c/f48eabd15194b216030b32445f44230df95f5fe0nvd
News mentions
0No linked articles in our index yet.