CVE-2026-23347
Description
In the Linux kernel, the following vulnerability has been resolved:
can: usb: f81604: correctly anchor the urb in the read bulk callback
When submitting an urb, that is using the anchor pattern, it needs to be anchored before submitting it otherwise it could be leaked if usb_kill_anchored_urbs() is called. This logic is correctly done elsewhere in the driver, except in the read bulk callback so do that here also.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's f81604 USB CAN driver, a missing URB anchor before submission in the read bulk callback could cause a URB leak when usb_kill_anchored_urbs() is called.
Vulnerability
The f81604 USB CAN driver in the Linux kernel does not anchor the URB before submitting it in the read bulk callback. According to the patch description, URBs using the anchor pattern must be anchored prior to submission; otherwise, they can be leaked if usb_kill_anchored_urbs() is invoked [1]. This oversight exists only in the read bulk path, as other parts of the driver correctly anchor URBs.
Exploitation
An attacker with physical access or the ability to trigger a USB device removal could cause the kernel to call usb_kill_anchored_urbs(). If the URB is not anchored, it will not be killed or freed, leading to a memory leak. No authentication is required; any scenario that triggers the read bulk callback (e.g., CAN frame reception) and then a device disconnect could expose the issue.
Impact
Successful exploitation results in a kernel memory leak. Repeated triggers could exhaust kernel memory, potentially leading to denial of service. The vulnerability is rated Medium (CVSS 5.5) with low attack complexity and no privileges required.
Mitigation
The fix has been backported to stable kernels via commit 952caa5da10b and related commits [1]. Users should update to the latest kernel versions containing this fix. No workarounds are available.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.5.1,<6.6.130
- cpe:2.3:o:linux:linux_kernel:6.5:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/54ee74307165b348b2fddcd7942eb48fb4ee1237nvdPatch
- git.kernel.org/stable/c/7724645c4792914cd07f36718816c5369cc57970nvdPatch
- git.kernel.org/stable/c/952caa5da10bed22be09612433964f6877ba0ddenvdPatch
- git.kernel.org/stable/c/c001214e12202338425d6dda5d2a1919d674282dnvdPatch
- git.kernel.org/stable/c/f6d80b104f904a6da922907394eec66d3e2ffc57nvdPatch
News mentions
0No linked articles in our index yet.