CVE-2026-23061 Overview
A memory leak vulnerability has been discovered in the Linux kernel's Kvaser USB CAN driver within the kvaser_usb_read_bulk_callback() function. The vulnerability occurs due to improper handling of USB Request Blocks (URBs) during bulk callback processing, where URBs are unanchored by the USB framework before the completion callback is invoked. This results in memory not being properly released when usb_kill_anchored_urbs() is called during interface removal, leading to a gradual memory leak that could impact system stability over time.
Critical Impact
Systems utilizing Kvaser USB CAN interfaces may experience memory exhaustion over prolonged operation periods, potentially leading to system instability or denial of service conditions.
Affected Products
- Linux kernel with Kvaser USB CAN driver (kvaser_usb module)
- Systems using Kvaser USB CAN hardware interfaces
- Linux kernel versions prior to patches referenced in kernel commits
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-23061 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-23061
Vulnerability Analysis
This vulnerability is a Memory Leak affecting the Kvaser USB CAN driver in the Linux kernel. The issue stems from the USB framework's behavior of unanchoring URBs before invoking the completion callback function. When kvaser_usb_set_bittiming() or kvaser_usb_set_data_bittiming() calls kvaser_usb_setup_rx_urbs(), URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor, and submitted for processing.
During normal operation, when kvaser_usb_read_bulk_callback() processes and resubmits URBs, the USB framework has already unanchored the URB. This means the URB is no longer tracked by the dev->rx_submitted anchor. When kvaser_usb_remove_interfaces() is called to clean up resources, it invokes usb_kill_anchored_urbs(&dev->rx_submitted), but since the URBs have been unanchored, they are not released, resulting in a memory leak.
Root Cause
The root cause is a timing issue between the USB framework's URB lifecycle management and the driver's expectation of URB anchoring state. The USB framework unanchors URBs before calling the completion callback, but the Kvaser USB driver did not re-anchor URBs after processing them in kvaser_usb_read_bulk_callback(). This misalignment in expectations leads to orphaned URBs that cannot be properly freed during driver cleanup.
Attack Vector
While the attack vector is classified as unknown, this vulnerability primarily manifests as a resource exhaustion issue. An attacker with local access to a system with Kvaser USB CAN hardware could potentially trigger the memory leak by repeatedly initializing and using the CAN interface, eventually exhausting system memory. The vulnerability is similar to the issue fixed in commit 7352e1d5932a for the gs_usb driver, suggesting a pattern of URB memory management issues across USB CAN drivers.
The exploitation scenario involves:
- A user or process interacting with the Kvaser USB CAN interface
- Normal USB bulk transfer operations triggering the callback
- URBs becoming unanchored and untracked over time
- Memory gradually being leaked with each completed transfer that is not properly re-anchored
Detection Methods for CVE-2026-23061
Indicators of Compromise
- Gradual increase in kernel memory usage on systems with active Kvaser USB CAN interfaces
- Memory allocation warnings in kernel logs related to the kvaser_usb driver
- System slowdown or instability after prolonged CAN bus communication sessions
Detection Strategies
- Monitor kernel memory usage patterns using tools like slabtop or /proc/meminfo for unexplained growth
- Use kernel memory debugging tools such as kmemleak to detect unreleased memory allocations
- Review dmesg output for memory pressure warnings when Kvaser USB CAN devices are in use
- Implement monitoring for USB subsystem memory allocations via ftrace or eBPF probes
Monitoring Recommendations
- Set up alerts for kernel memory thresholds on systems using Kvaser USB CAN hardware
- Periodically audit loaded kernel modules and ensure they are running patched versions
- Monitor long-running processes that interact with CAN interfaces for abnormal memory consumption
- Implement automated kernel version tracking to ensure security patches are applied
How to Mitigate CVE-2026-23061
Immediate Actions Required
- Update the Linux kernel to a version containing the fix commits
- Restart the kvaser_usb driver module after updating to ensure the patched code is loaded
- Monitor affected systems for memory usage anomalies until patches can be applied
- Consider temporarily unloading the kvaser_usb module on critical systems if the CAN interface is not required
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix involves properly re-anchoring URBs within the kvaser_usb_read_bulk_callback() function to the dev->rx_submitted anchor, ensuring they can be properly released during cleanup.
The following kernel commits contain the fix:
- Linux Kernel Commit 248e8e1
- Linux Kernel Commit 3b1a593e
- Linux Kernel Commit 7c308f75
- Linux Kernel Commit 94a7fc42
Workarounds
- Unload the kvaser_usb module when not actively using Kvaser CAN hardware to prevent memory leak accumulation
- Implement periodic system reboots as a temporary measure on systems that cannot be immediately patched
- Use alternative CAN interfaces if available that do not rely on the affected driver
- Monitor and set memory limits for processes interacting with CAN interfaces to contain potential impact
# Configuration example
# Unload the kvaser_usb module when not in use
sudo modprobe -r kvaser_usb
# Verify module is unloaded
lsmod | grep kvaser
# After patching, reload the module
sudo modprobe kvaser_usb
# Check kernel version contains the fix
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
