CVE-2026-23307
Description
In the Linux kernel, the following vulnerability has been resolved:
can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message
When looking at the data in a USB urb, the actual_length is the size of the buffer passed to the driver, not the transfer_buffer_length which is set by the driver as the max size of the buffer.
When parsing the messages in ems_usb_read_bulk_callback() properly check the size both at the beginning of parsing the message to make sure it is big enough for the expected structure, and at the end of the message to make sure we don't overflow past the end of the buffer for the next message.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing length check in the Linux kernel's ems_usb CAN driver can cause out-of-bounds reads when parsing USB bulk messages.
Vulnerability
In the Linux kernel's CAN subsystem, the ems_usb driver, the function ems_usb_read_bulk_callback() incorrectly used transfer_buffer_length (the maximum buffer size set by the driver) instead of actual_length` (the actual data size received from the USB device) when parsing incoming messages. This mismatch means the driver could attempt to read beyond the valid data in the USB URB, leading to an out-of-bounds read [1][2].
Exploitation
An attacker with physical access to the system or the ability to connect a malicious USB device could send crafted CAN messages that exploit this length validation flaw. No special privileges beyond the ability to interact with the CAN interface are required, as the vulnerability lies in the kernel's handling of data from a USB device that is already trusted by the kernel [3].
Impact
Successful exploitation could allow an attacker to read sensitive kernel memory or cause a denial of service (system crash) by triggering an out-of-bounds access. The vulnerability does not directly enable arbitrary code execution, but memory corruption may be leveraged for further attacks [4].
Mitigation
Patches have been committed to the Linux kernel stable tree. Users should update to a kernel version containing the fix, which adds proper length checks using actual_length at both the start and end of message parsing [1][2][3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/1818974e1b5ef200e27f144c8cb8a246420bb54dnvd
- git.kernel.org/stable/c/18f75b9cbdc3703f15965425ab69dee509b07785nvd
- git.kernel.org/stable/c/1cf469026d4a2308eaa91d04dca4a900d07a5c2envd
- git.kernel.org/stable/c/2833e13e2b099546abf5d40a483b4eb04ddd1f7bnvd
- git.kernel.org/stable/c/38a01c9700b0dcafe97dfa9dc7531bf4a245deffnvd
- git.kernel.org/stable/c/aed172a2e2330131f0977d2acd3ec8883f413ec1nvd
- git.kernel.org/stable/c/c703bbf8e9b4947e111c88d2ed09236a6772a471nvd
- git.kernel.org/stable/c/f10177e6c4575aedaea580ce67d792fab7a2235envd
News mentions
0No linked articles in our index yet.