CVE-2026-23324
Description
In the Linux kernel, the following vulnerability has been resolved:
can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
When submitting an urb, that is using the anchor pattern, it needs to be anchored before submitting it otherwise it could be leaked if usb_kill_anchored_urbs() is called. This logic is correctly done elsewhere in the driver, except in the read bulk callback so do that here also.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's etas_es58x CAN USB driver, the read bulk callback fails to anchor URBs before submission, potentially causing a URB leak if usb_kill_anchored_urbs() is called.
Vulnerability
In the Linux kernel's etas_es58x CAN USB driver, the read bulk callback does not anchor the URB (USB Request Block) before submitting it. The anchor pattern requires that a URB be anchored prior to submission; otherwise, a race condition can lead to the URB being leaked if usb_kill_ kill_anchored_urbs() is invoked concurrently. This oversight exists only in the read bulk callback, while other parts of the driver correctly anchor URBs first [1][2].
Exploitation
An attacker would need physical access to the USB bus or the ability to trigger USB device disconnection or reset events that cause usb_kill_anchored_urbs() to be called. No special privileges are required beyond the ability to interact with the affected USB device. The vulnerability is triggered during normal URB lifecycle management, not through a crafted packet [3][4].
Impact
If the URB is not anchored, a call to usb_kill_anchored_urbs() will not find it, leaving the URB in a state where it can be freed while still in use or never properly cleaned up. This can lead to a use-after-free or memory leak, potentially causing a denial of service (system crash or instability). The CVSS v3 score of 5.5 (Medium) reflects the requirement for physical access or local USB interaction [1][2].
Mitigation
The fix has been applied in the Linux kernel stable tree via commits that add the missing usb_anchor_urb() call before submission in the read bulk callback. Users should update to a kernel version containing these patches. No workaround is available other than applying the kernel update [3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.13.1,<5.15.203
- cpe:2.3:o:linux:linux_kernel:5.13:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/18eee279e9b5bff0db1aca9475ae4bc12804f05cnvdPatch
- git.kernel.org/stable/c/2185ea6e4ebcb61d1224dc7d187c59723cb5ad59nvdPatch
- git.kernel.org/stable/c/5eaad4f768266f1f17e01232ffe2ef009f8129b7nvdPatch
- git.kernel.org/stable/c/7a0171b4921ad443fee5ed4fcb9d99fa4776edacnvdPatch
- git.kernel.org/stable/c/b878444519fa03a3edd287d1963cf79ef78be2f1nvdPatch
- git.kernel.org/stable/c/b8f9ca88253574638bcff38900a4c28d570b1919nvdPatch
- git.kernel.org/stable/c/f6e90c113c92e83fc0963d5e60e16b0e8a268981nvdPatch
News mentions
0No linked articles in our index yet.