CVE-2026-23075 Overview
A memory leak vulnerability has been identified in the Linux kernel's ESD USB CAN driver (esd_usb). The vulnerability exists in the esd_usb_read_bulk_callback() function where USB Request Blocks (URBs) for USB-in transfers are not properly anchored after completion, leading to memory resources not being released when the device is closed. This issue is similar to a previously resolved memory leak in the gs_usb driver (commit 7352e1d5932a).
Critical Impact
Prolonged use of affected ESD USB CAN devices can lead to kernel memory exhaustion due to URBs not being properly freed, potentially resulting in system instability or denial of service conditions.
Affected Products
- Linux kernel with ESD USB CAN driver (esd_usb module)
- Systems using ESD CAN USB interfaces for Controller Area Network communications
- Industrial and automotive systems utilizing Linux-based CAN bus implementations
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-23075 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-23075
Vulnerability Analysis
The vulnerability stems from improper URB lifecycle management in the ESD USB CAN driver. When esd_usb_open() is called, URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor, and submitted to the USB subsystem. The completion callback esd_usb_read_bulk_callback() processes these URBs and resubmits them for continued data reception.
The critical issue is that the USB framework unanchors URBs before invoking the completion callback. Consequently, when an in-URB completes processing, it is no longer associated with the dev->rx_submitted anchor. When esd_usb_close() is later called, it invokes usb_kill_anchored_urbs(&dev->rx_submitted) to free URBs, but the unanchored URBs are missed and never released.
This results in a cumulative memory leak where each completed URB that isn't properly re-anchored remains allocated in kernel memory indefinitely.
Root Cause
The root cause is the failure to re-anchor URBs in the esd_usb_read_bulk_callback() completion function after the USB framework automatically unanchors them. The original implementation assumed URBs would remain anchored throughout their lifecycle, but the USB subsystem's behavior of unanchoring URBs before callback invocation was not accounted for.
Attack Vector
While this vulnerability primarily manifests as a resource exhaustion issue rather than a directly exploitable security flaw, potential attack scenarios include:
- Local attackers with access to ESD USB CAN devices could repeatedly open and close the device interface to accelerate memory exhaustion
- In industrial control systems or automotive environments, sustained CAN bus traffic could cause gradual memory depletion over time
- Systems running for extended periods without restarts are particularly susceptible to eventual memory exhaustion
The fix involves anchoring the URB back to dev->rx_submitted within the esd_usb_read_bulk_callback() function before resubmitting it, ensuring proper cleanup occurs when esd_usb_close() is called.
Detection Methods for CVE-2026-23075
Indicators of Compromise
- Gradual increase in kernel memory usage on systems with active ESD USB CAN devices
- Memory allocation failures or OOM (Out of Memory) killer activations after extended CAN bus operations
- System logs showing USB-related memory warnings or esd_usb module errors
- Unexplained system slowdowns on devices performing continuous CAN bus communications
Detection Strategies
- Monitor kernel memory allocation trends, particularly slab allocations related to USB subsystems
- Implement automated kernel memory profiling for systems utilizing CAN bus hardware
- Review dmesg output for USB driver warnings or memory-related kernel messages
- Use tools like slabtop or /proc/slabinfo to track USB URB memory allocations over time
Monitoring Recommendations
- Establish baseline memory usage metrics for systems with ESD USB CAN devices
- Configure alerts for abnormal memory consumption patterns in production environments
- Schedule periodic system restarts for critical systems until patches can be applied
- Monitor /sys/kernel/slab/ entries related to USB allocations for unusual growth
How to Mitigate CVE-2026-23075
Immediate Actions Required
- Update to a patched Linux kernel version that includes the URB memory leak fix
- Restart affected systems to reclaim leaked memory from unpatched kernel sessions
- Consider temporarily disabling or disconnecting ESD USB CAN devices on systems where patching is delayed
- Implement memory monitoring to detect and respond to resource exhaustion conditions
Patch Information
The Linux kernel developers have released patches to address this vulnerability. The fix ensures that URBs are properly re-anchored to dev->rx_submitted within the esd_usb_read_bulk_callback() function before resubmission.
Verified patch commits are available in the stable kernel git repository:
- Kernel Patch 5a4391bdc6c8
- Kernel Patch 9d1807b442fc
- Kernel Patch a9503ae43256
- Kernel Patch adec5e1f9c99
Workarounds
- Unload the esd_usb kernel module when not actively required: rmmod esd_usb
- Limit CAN bus session durations and implement periodic device restarts
- Use alternative CAN interfaces that don't rely on the affected driver until patches are applied
- For critical systems, consider reverting to a known-good kernel version with the patch backported
# Check if esd_usb module is loaded
lsmod | grep esd_usb
# Temporarily unload the vulnerable module (if not in active use)
sudo rmmod esd_usb
# Verify kernel version includes the fix
uname -r
# Monitor memory usage for leak detection
watch -n 5 'cat /proc/meminfo | grep -E "MemFree|Slab|SUnreclaim"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
