CVE-2026-46103
Description
In the Linux kernel, the following vulnerability has been resolved:
can: ucan: fix devres lifetime
USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).
Fix the control message buffer lifetime so that it is released on driver unbind.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's ucan driver, a devres lifetime mismatch causes a memory leak of the control message buffer when the driver is unbound without device disconnection.
Vulnerability
The ucan driver in the Linux kernel incorrectly tied the lifetime of its control message buffer to the parent USB device instead of the USB interface. This violates the expected resource management for USB drivers, where device-managed resources should be bound to the interface. The bug affects all versions of the kernel containing the ucan driver prior to the fix commits [1][2][3][4].
Exploitation
An attacker does not directly trigger this vulnerability; it occurs during normal driver unbind operations, such as probe deferral or configuration changes. No special privileges or user interaction are required beyond the ability to cause the driver to unbind (e.g., via system administration actions or hotplug events).
Impact
The primary impact is a memory leak of the control message buffer each time the driver is unbound without the physical device being disconnected. Over repeated unbind/bind cycles, this can exhaust kernel memory, leading to denial of service. No other CIA impact (confidentiality, integrity) is described.
Mitigation
The fix is included in the Linux kernel stable tree via commits [1], [2], [3], and [4] (backports to various stable branches). Users should update to a kernel version containing these commits. No workaround is available other than avoiding driver unbind operations on systems using the ucan device.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
1010b7b676b78acan: ucan: fix devres lifetime
1 file changed · +1 −2
drivers/net/can/usb/ucan.c+1 −2 modifieddiff --git a/drivers/net/can/usb/ucan.c b/drivers/net/can/usb/ucan.c index 6c90b4a7d955a2..c3ebb648d8b0dc 100644 --- a/drivers/net/can/usb/ucan.c +++ b/drivers/net/can/usb/ucan.c @@ -1399,7 +1399,7 @@ static int ucan_probe(struct usb_interface *intf, */ /* Prepare Memory for control transfers */ - ctl_msg_buffer = devm_kzalloc(&udev->dev, + ctl_msg_buffer = devm_kzalloc(&intf->dev, sizeof(union ucan_ctl_payload), GFP_KERNEL); if (!ctl_msg_buffer) { -- cgit 1.3-korg
c524c124e309can: ucan: fix devres lifetime
1 file changed · +1 −2
drivers/net/can/usb/ucan.c+1 −2 modifieddiff --git a/drivers/net/can/usb/ucan.c b/drivers/net/can/usb/ucan.c index 6c90b4a7d955a2..c3ebb648d8b0dc 100644 --- a/drivers/net/can/usb/ucan.c +++ b/drivers/net/can/usb/ucan.c @@ -1399,7 +1399,7 @@ static int ucan_probe(struct usb_interface *intf, */ /* Prepare Memory for control transfers */ - ctl_msg_buffer = devm_kzalloc(&udev->dev, + ctl_msg_buffer = devm_kzalloc(&intf->dev, sizeof(union ucan_ctl_payload), GFP_KERNEL); if (!ctl_msg_buffer) { -- cgit 1.3-korg
4b7d07747400can: ucan: fix devres lifetime
1 file changed · +1 −2
drivers/net/can/usb/ucan.c+1 −2 modifieddiff --git a/drivers/net/can/usb/ucan.c b/drivers/net/can/usb/ucan.c index 6c90b4a7d955a2..c3ebb648d8b0dc 100644 --- a/drivers/net/can/usb/ucan.c +++ b/drivers/net/can/usb/ucan.c @@ -1399,7 +1399,7 @@ static int ucan_probe(struct usb_interface *intf, */ /* Prepare Memory for control transfers */ - ctl_msg_buffer = devm_kzalloc(&udev->dev, + ctl_msg_buffer = devm_kzalloc(&intf->dev, sizeof(union ucan_ctl_payload), GFP_KERNEL); if (!ctl_msg_buffer) { -- cgit 1.3-korg
c0d3ccc6929ecan: ucan: fix devres lifetime
1 file changed · +1 −2
drivers/net/can/usb/ucan.c+1 −2 modifieddiff --git a/drivers/net/can/usb/ucan.c b/drivers/net/can/usb/ucan.c index 0ea0ac75e42f9a..ee3c1abbd06305 100644 --- a/drivers/net/can/usb/ucan.c +++ b/drivers/net/can/usb/ucan.c @@ -1397,7 +1397,7 @@ static int ucan_probe(struct usb_interface *intf, */ /* Prepare Memory for control transfers */ - ctl_msg_buffer = devm_kzalloc(&udev->dev, + ctl_msg_buffer = devm_kzalloc(&intf->dev, sizeof(union ucan_ctl_payload), GFP_KERNEL); if (!ctl_msg_buffer) { -- cgit 1.3-korg
fed4626501c8can: ucan: fix devres lifetime
1 file changed · +1 −2
drivers/net/can/usb/ucan.c+1 −2 modifieddiff --git a/drivers/net/can/usb/ucan.c b/drivers/net/can/usb/ucan.c index 0ea0ac75e42f9a..ee3c1abbd06305 100644 --- a/drivers/net/can/usb/ucan.c +++ b/drivers/net/can/usb/ucan.c @@ -1397,7 +1397,7 @@ static int ucan_probe(struct usb_interface *intf, */ /* Prepare Memory for control transfers */ - ctl_msg_buffer = devm_kzalloc(&udev->dev, + ctl_msg_buffer = devm_kzalloc(&intf->dev, sizeof(union ucan_ctl_payload), GFP_KERNEL); if (!ctl_msg_buffer) { -- cgit 1.3-korg
c524c124e309can: ucan: fix devres lifetime
1 file changed · +1 −2
drivers/net/can/usb/ucan.c+1 −2 modifieddiff --git a/drivers/net/can/usb/ucan.c b/drivers/net/can/usb/ucan.c index 6c90b4a7d955a2..c3ebb648d8b0dc 100644 --- a/drivers/net/can/usb/ucan.c +++ b/drivers/net/can/usb/ucan.c @@ -1399,7 +1399,7 @@ static int ucan_probe(struct usb_interface *intf, */ /* Prepare Memory for control transfers */ - ctl_msg_buffer = devm_kzalloc(&udev->dev, + ctl_msg_buffer = devm_kzalloc(&intf->dev, sizeof(union ucan_ctl_payload), GFP_KERNEL); if (!ctl_msg_buffer) { -- cgit 1.3-korg
fed4626501c8can: ucan: fix devres lifetime
1 file changed · +1 −2
drivers/net/can/usb/ucan.c+1 −2 modifieddiff --git a/drivers/net/can/usb/ucan.c b/drivers/net/can/usb/ucan.c index 0ea0ac75e42f9a..ee3c1abbd06305 100644 --- a/drivers/net/can/usb/ucan.c +++ b/drivers/net/can/usb/ucan.c @@ -1397,7 +1397,7 @@ static int ucan_probe(struct usb_interface *intf, */ /* Prepare Memory for control transfers */ - ctl_msg_buffer = devm_kzalloc(&udev->dev, + ctl_msg_buffer = devm_kzalloc(&intf->dev, sizeof(union ucan_ctl_payload), GFP_KERNEL); if (!ctl_msg_buffer) { -- cgit 1.3-korg
4b7d07747400can: ucan: fix devres lifetime
1 file changed · +1 −2
drivers/net/can/usb/ucan.c+1 −2 modifieddiff --git a/drivers/net/can/usb/ucan.c b/drivers/net/can/usb/ucan.c index 6c90b4a7d955a2..c3ebb648d8b0dc 100644 --- a/drivers/net/can/usb/ucan.c +++ b/drivers/net/can/usb/ucan.c @@ -1399,7 +1399,7 @@ static int ucan_probe(struct usb_interface *intf, */ /* Prepare Memory for control transfers */ - ctl_msg_buffer = devm_kzalloc(&udev->dev, + ctl_msg_buffer = devm_kzalloc(&intf->dev, sizeof(union ucan_ctl_payload), GFP_KERNEL); if (!ctl_msg_buffer) { -- cgit 1.3-korg
10b7b676b78acan: ucan: fix devres lifetime
1 file changed · +1 −2
drivers/net/can/usb/ucan.c+1 −2 modifieddiff --git a/drivers/net/can/usb/ucan.c b/drivers/net/can/usb/ucan.c index 6c90b4a7d955a2..c3ebb648d8b0dc 100644 --- a/drivers/net/can/usb/ucan.c +++ b/drivers/net/can/usb/ucan.c @@ -1399,7 +1399,7 @@ static int ucan_probe(struct usb_interface *intf, */ /* Prepare Memory for control transfers */ - ctl_msg_buffer = devm_kzalloc(&udev->dev, + ctl_msg_buffer = devm_kzalloc(&intf->dev, sizeof(union ucan_ctl_payload), GFP_KERNEL); if (!ctl_msg_buffer) { -- cgit 1.3-korg
c0d3ccc6929ecan: ucan: fix devres lifetime
1 file changed · +1 −2
drivers/net/can/usb/ucan.c+1 −2 modifieddiff --git a/drivers/net/can/usb/ucan.c b/drivers/net/can/usb/ucan.c index 0ea0ac75e42f9a..ee3c1abbd06305 100644 --- a/drivers/net/can/usb/ucan.c +++ b/drivers/net/can/usb/ucan.c @@ -1397,7 +1397,7 @@ static int ucan_probe(struct usb_interface *intf, */ /* Prepare Memory for control transfers */ - ctl_msg_buffer = devm_kzalloc(&udev->dev, + ctl_msg_buffer = devm_kzalloc(&intf->dev, sizeof(union ucan_ctl_payload), GFP_KERNEL); if (!ctl_msg_buffer) { -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Device-managed resource (control message buffer) lifetime tied to the parent USB device instead of the USB interface, causing memory leak on driver unbind."
Attack vector
An attacker with physical USB access can trigger driver unbind (e.g., via probe deferral or configuration changes) without physically disconnecting the device. Because the control message buffer's lifetime was tied to the parent USB device instead of the USB interface, the buffer is not freed when the driver is unbound from the interface, resulting in a memory leak. No special payload or network path is required — the bug is triggered by normal driver lifecycle events.
Affected code
The vulnerability is in the `ucan_probe()` function in `drivers/net/can/usb/ucan.c`. The control message buffer (`ctl_msg_buffer`) was allocated with `devm_kzalloc(&udev->dev, ...)`, tying its lifetime to the parent USB device (`udev->dev`) rather than to the USB interface (`intf->dev`).
What the fix does
The patch changes the `devm_kzalloc()` call from `&udev->dev` (parent USB device) to `&intf->dev` (USB interface) in `ucan_probe()` [patch_id=2659678]. This ties the allocated control message buffer's lifetime to the USB interface, so it is automatically freed when the driver unbinds from the interface. The fix is a one-line change in `drivers/net/can/usb/ucan.c` at the allocation site of `ctl_msg_buffer`.
Preconditions
- inputPhysical USB access to a device using the UCAN driver
- configDriver unbind triggered (e.g., via probe deferral or configuration change) without physical disconnect
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/10b7b676b78a7bd888d19729b459aad7fc1f428bnvd
- git.kernel.org/stable/c/4b7d07747400cfd7eff1ba7b8b5a7c8d5a58f705nvd
- git.kernel.org/stable/c/c0d3ccc6929e4509076df8f30a4fb1dc5018b0aenvd
- git.kernel.org/stable/c/c524c124e3094d2de12235a513854c03d06a2b58nvd
- git.kernel.org/stable/c/fed4626501c871890da287bec62a96e52da1af89nvd
News mentions
0No linked articles in our index yet.