Linux Kernel, URB Memory Leak, CVE-2026-23061 (Medium)

Listen to this Post

The vulnerability resides in the `kvaser_usb` driver for CAN interfaces. During device setup, USB Request Blocks (URBs) for incoming data transfers are allocated, attached (anchored) to a management list (rx_submitted), and submitted to the USB subsystem. When a URB transfer completes, the kernel’s USB core automatically removes it from this anchor list before invoking the driver’s completion callback, kvaser_usb_read_bulk_callback(). The driver’s callback then processes the data and resubmits the URB for further reception. The flaw occurs during driver removal. The cleanup function, kvaser_usb_remove_interfaces(), calls `usb_kill_anchored_urbs()` which is intended to kill and free all URBs in the `rx_submitted` list. However, because URBs are unanchored upon completion, any URB that is currently in flight or pending resubmission is not present in the list and is therefore not freed by this function. This leads to a memory leak for every URB that completes after the initial submission, as the driver loses the reference needed to release the allocated memory .

DailyCVE Form:

Platform: Linux Kernel
Version: 3.8 to 6.18.7
Vulnerability : URB Memory Leak
Severity: Medium (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
date: 2026-02-04

Prediction: Patched Feb-Mar 2026

What Undercode Say:

Analytics:

The vulnerability is a local denial-of-service issue with high attack complexity. It requires the ability to trigger the removal of a specific USB CAN device driver (kvaser_usb) on a system where the vulnerable kernel is running. Successful exploitation leads to a gradual kernel memory depletion, potentially causing system instability or crash. The issue was introduced in 2013 (kernel version 3.8) and fixed in multiple stable kernel updates in February and March 2026 . Major distributions like Debian, Ubuntu, and SUSE have released or are preparing fixes .

How Exploit:

An attacker would need a system with a Kvaser CAN interface using the affected driver. The exploit is not a code execution but a trigger for the memory leak.
1. Trigger Device Usage: Ensure the Kvaser device is in use, causing URBs to be submitted and completed. Normal CAN bus activity would suffice.
2. Initiate Device Removal: Trigger the removal of the device driver. This could be done physically by unplugging the USB device or logically by forcing a driver unbind (e.g., echo -n "bus-usb:... " > /sys/bus/usb/drivers/kvaser_usb/unbind).
3. Observe Memory Leak: As the driver removal routine (kvaser_usb_remove_interfaces) runs, it fails to free any URB that was completed and resubmitted. Each such URB becomes a memory leak. Repeatedly connecting and disconnecting the device would amplify the leak, leading to kernel memory exhaustion.

Protection from this CVE:

  1. Apply Kernel Updates: The primary mitigation is to update the Linux kernel to a patched version. Fixed versions include 6.1.162-1 for Debian Bookworm, 5.10.249-1 for Debian Bullseye, and 6.19-rc7 or later mainline releases .
    For Debian/Ubuntu systems, update the kernel package
    sudo apt update && sudo apt upgrade linux-image-$(uname -r)
    Reboot to load the new kernel
    sudo reboot
    Verify the fix is present by checking the kernel changelog or version
    uname -r
    
  2. Restrict USB Device Access: If an immediate kernel update is not possible, mitigate the risk by controlling physical and logical access to USB ports to prevent an attacker from connecting or disconnecting Kvaser devices.
  3. Module Blacklisting: As a temporary workaround, the `kvaser_usb` module can be blacklisted to prevent it from loading if the hardware is not required.
    Temporarily unload the module
    sudo modprobe -r kvaser_usb
    Permanently blacklist the module
    echo "blacklist kvaser_usb" | sudo tee /etc/modprobe.d/blacklist-kvaser.conf
    sudo update-initramfs -u
    
  4. Verify Fix with Git: The exact commit that fixes the issue can be cherry-picked by developers or maintainers.
    The mainline fix commit
    git show 248e8e1a125f
    Example of backported fix for a stable tree
    git show 3b1a593eab94
    

Impact:

Successful exploitation leads to a kernel memory leak. Over time, with repeated device removal, this can exhaust the kernel’s memory pool, leading to system instability, inability to allocate resources for new processes or hardware, and ultimately a kernel panic or system freeze (Denial of Service). The confidentiality and integrity of the system are not directly compromised, but availability is severely affected .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top