Home

Description

In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In kvaser_usb_remove_interfaces() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor.

PUBLISHED Reserved 2026-01-13 | Published 2026-02-04 | Updated 2026-02-09 | Assigner Linux

Product status

Default status
unaffected

080f40a6fa28dab299da7a652e444b1e2d9231e7 (git) before d9d824582f2ec76459ffab449e9b05c7bc49645c
affected

080f40a6fa28dab299da7a652e444b1e2d9231e7 (git) before 40a3334ffda479c63e416e61ff086485e24401f7
affected

080f40a6fa28dab299da7a652e444b1e2d9231e7 (git) before c1b39fa24c140bc616f51fef4175c1743e2bb132
affected

080f40a6fa28dab299da7a652e444b1e2d9231e7 (git) before 7c308f7530bffafa994e0aa8dc651a312f4b9ff4
affected

080f40a6fa28dab299da7a652e444b1e2d9231e7 (git) before 94a7fc42e21c7d9d1c49778cd1db52de5df52a01
affected

080f40a6fa28dab299da7a652e444b1e2d9231e7 (git) before 3b1a593eab941c3f32417896cc7df564191f2482
affected

080f40a6fa28dab299da7a652e444b1e2d9231e7 (git) before 248e8e1a125fa875158df521b30f2cc7e27eeeaa
affected

Default status
affected

3.8
affected

Any version before 3.8
unaffected

5.10.249 (semver)
unaffected

5.15.199 (semver)
unaffected

6.1.162 (semver)
unaffected

6.6.122 (semver)
unaffected

6.12.68 (semver)
unaffected

6.18.8 (semver)
unaffected

6.19 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/d9d824582f2ec76459ffab449e9b05c7bc49645c

git.kernel.org/...c/40a3334ffda479c63e416e61ff086485e24401f7

git.kernel.org/...c/c1b39fa24c140bc616f51fef4175c1743e2bb132

git.kernel.org/...c/7c308f7530bffafa994e0aa8dc651a312f4b9ff4

git.kernel.org/...c/94a7fc42e21c7d9d1c49778cd1db52de5df52a01

git.kernel.org/...c/3b1a593eab941c3f32417896cc7df564191f2482

git.kernel.org/...c/248e8e1a125fa875158df521b30f2cc7e27eeeaa

cve.org (CVE-2026-23061)

nvd.nist.gov (CVE-2026-23061)

Download JSON