CVE-2026-23037 Overview
CVE-2026-23037 is a memory leak vulnerability in the Linux kernel's CAN (Controller Area Network) etas_es58x driver. The vulnerability occurs when the es58x_alloc_rx_urbs() function fails to allocate the requested number of USB Request Blocks (URBs) but succeeds in allocating some. In this partial allocation scenario, the function returns an error code which causes es58x_open() to return early, skipping the cleanup label free_urbs. This results in the anchored URBs being leaked, potentially leading to resource exhaustion over time.
Critical Impact
This memory leak vulnerability in the Linux kernel CAN driver can lead to resource exhaustion on systems using ETAS ES58X USB CAN interfaces, potentially causing system instability or denial of service conditions.
Affected Products
- Linux kernel with etas_es58x CAN driver enabled
- Systems using ETAS ES58X USB CAN interface adapters
- Embedded Linux systems with CAN bus functionality
Discovery Timeline
- 2026-01-31 - CVE-2026-23037 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2026-23037
Vulnerability Analysis
The vulnerability resides in the es58x_alloc_rx_urbs() function within the Linux kernel's CAN subsystem driver for ETAS ES58X USB devices. When the driver attempts to allocate multiple USB Request Blocks (URBs) for receiving CAN messages, it may encounter memory pressure or other allocation failures that prevent it from allocating the full requested number of URBs.
The core issue is in the error handling logic: if the function successfully allocates some URBs but fails to allocate all of them, it incorrectly returns an error code. This error propagates to es58x_open(), which then returns early without reaching the free_urbs cleanup label. The partially allocated URBs that were anchored remain allocated but unreferenced, creating a memory leak.
As noted by maintainer Vincent Mailhol, the driver was originally designed to handle partial URB allocation gracefully since some URBs are sufficient for operation. The fix modifies es58x_alloc_rx_urbs() to return success (0) if at least one URB has been allocated, restoring the intended behavior and preventing the leak.
Root Cause
The root cause is improper error handling in the URB allocation function. The function treated partial allocation as a fatal error when the driver's design intended for partial allocation to be acceptable. This design versus implementation mismatch caused the error path to bypass necessary cleanup routines, leading to memory leaks of anchored URB structures.
Attack Vector
The vulnerability has limited direct exploitability as it requires:
- A system with the etas_es58x driver loaded
- Memory pressure conditions or repeated device open/close operations
- Physical access to connect ETAS ES58X USB CAN hardware
An attacker with local access could potentially trigger repeated partial allocation failures by inducing memory pressure while opening the CAN device interface. Over time, the accumulated memory leaks could degrade system performance or lead to denial of service through resource exhaustion. However, the attack surface is limited to systems with specific CAN hardware configurations.
Detection Methods for CVE-2026-23037
Indicators of Compromise
- Gradual memory consumption increase on systems with ETAS ES58X CAN devices
- Kernel memory allocation warnings or errors in system logs related to USB or CAN subsystems
- Unexpected ENOMEM errors when opening CAN interfaces repeatedly
Detection Strategies
- Monitor kernel memory usage patterns, particularly slab allocations related to URB structures
- Review dmesg output for USB and CAN driver error messages indicating allocation failures
- Track /proc/meminfo for unexplained memory consumption growth over time
- Monitor for repeated failed CAN interface open operations
Monitoring Recommendations
- Implement kernel memory auditing using tools like kmemleak to detect leaked URB allocations
- Set up alerts for unusual memory growth patterns on systems running CAN applications
- Log and analyze CAN device open/close operations for error patterns
- Use SentinelOne's kernel-level monitoring to detect anomalous memory behavior in driver subsystems
How to Mitigate CVE-2026-23037
Immediate Actions Required
- Update to a patched Linux kernel version that includes the fix
- If immediate patching is not possible, consider unloading the etas_es58x module when not in use
- Monitor affected systems for memory exhaustion symptoms
- Review system logs for signs of exploitation attempts
Patch Information
Multiple patches have been released for various kernel branches to address this vulnerability. The fix modifies es58x_alloc_rx_urbs() to return 0 (success) if at least one URB has been allocated, preventing the memory leak while maintaining driver functionality.
Available kernel patches:
Workarounds
- Unload the etas_es58x driver module when CAN functionality is not required using modprobe -r etas_es58x
- Blacklist the driver module by adding blacklist etas_es58x to /etc/modprobe.d/blacklist.conf if the hardware is not in use
- Implement system reboots during maintenance windows to clear accumulated leaked memory
- Monitor and restart affected services if memory consumption exceeds acceptable thresholds
# Configuration example
# Unload the vulnerable driver module
sudo modprobe -r etas_es58x
# Blacklist the driver to prevent automatic loading
echo "blacklist etas_es58x" | sudo tee /etc/modprobe.d/blacklist-etas_es58x.conf
# Verify the driver is not loaded
lsmod | grep es58x
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
