CVE-2026-23080 Overview
A memory leak vulnerability has been identified in the Linux kernel's CAN (Controller Area Network) subsystem, specifically in the mcba_usb driver. The vulnerability exists in the mcba_usb_read_bulk_callback() function where USB Request Block (URB) memory is not properly freed, leading to resource exhaustion over time.
Critical Impact
Prolonged exploitation of this memory leak can lead to system resource exhaustion, potentially causing denial of service conditions on affected Linux systems using the Microchip CAN BUS Analyzer USB driver.
Affected Products
- Linux kernel with mcba_usb CAN driver enabled
- Systems using Microchip CAN BUS Analyzer USB devices
- Linux kernel versions prior to the security patch
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-23080 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-23080
Vulnerability Analysis
This vulnerability is a memory leak in the Linux kernel's mcba_usb driver, which handles Microchip CAN BUS Analyzer USB devices. The issue is similar to a previously patched vulnerability in the gs_usb driver (commit 7352e1d5932a).
The root of the problem lies in the URB lifecycle management during USB bulk transfer operations. When mcba_usb_probe() calls mcba_usb_start(), URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor, and submitted for processing. The complete callback function mcba_usb_read_bulk_callback() is responsible for processing these URBs and resubmitting them for continued data reception.
The critical flaw occurs because the USB framework unanchors URBs before calling the complete callback function. When mcba_usb_close() invokes mcba_urb_unlink(), it relies on usb_kill_anchored_urbs(&priv->rx_submitted) to free the URBs. However, since completed URBs are no longer anchored at this point, they escape the cleanup process and their memory is never released.
Root Cause
The memory leak occurs due to improper URB anchor management in the mcba_usb_read_bulk_callback() function. The USB subsystem unanchors URBs before invoking the completion callback, which means that when usb_kill_anchored_urbs() is called during device close, the completed URBs are no longer in the anchor list and cannot be freed.
The fix involves re-anchoring the URB to the priv->rx_submitted anchor within the mcba_usb_read_bulk_callback() function before resubmitting it. This ensures that all URBs remain tracked and can be properly released when the device is closed.
Attack Vector
The attack vector for this vulnerability is local, requiring either physical access to connect a malicious USB device or the ability to influence USB device operations on the target system.
An attacker could potentially exploit this vulnerability by:
- Repeatedly triggering USB bulk transfer completions to accelerate memory consumption
- Preventing proper device closure to maximize memory retention
- Operating multiple CAN USB devices simultaneously to multiply the leak rate
Over time, this memory leak can exhaust available kernel memory, leading to system instability or denial of service. The vulnerability is particularly concerning in embedded systems or long-running servers where uptime is critical and memory resources may be limited.
Detection Methods for CVE-2026-23080
Indicators of Compromise
- Gradual increase in kernel memory consumption over time on systems with mcba_usb devices
- Kernel memory allocation failures or OOM (Out of Memory) killer activations
- System logs indicating memory pressure when CAN USB devices are in use
- Unexplained system instability on systems with Microchip CAN BUS Analyzer devices
Detection Strategies
- Monitor kernel memory usage using tools like /proc/meminfo or slabtop for unusual growth patterns
- Implement kernel memory leak detection using kmemleak debugging feature
- Review dmesg output for USB subsystem errors related to mcba_usb
- Track URB allocation patterns in the CAN subsystem using ftrace or eBPF tracing
Monitoring Recommendations
- Deploy continuous memory monitoring on systems using CAN USB devices
- Set up alerts for sustained memory growth in kernel slab allocators
- Monitor USB device connection/disconnection events for anomalous patterns
- Implement regular system health checks that include memory consumption baselines
How to Mitigate CVE-2026-23080
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- Limit physical access to USB ports on critical systems
- Consider disabling the mcba_usb driver module if not actively required
- Implement regular system reboots as a temporary workaround for long-running systems
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures proper URB anchoring in the mcba_usb_read_bulk_callback() function by re-anchoring URBs before resubmission.
Multiple patch commits have been applied to various stable kernel branches:
- Commit 179f6f0cf5ae489743273b7c1644324c0c477ea9
- Commit 710a7529fb13c5a470258ff5508ed3c498d54729
- Commit 94c9f6f7b953f6382fef4bdc48c046b861b8868f
- Commit d374d715e338dfc3804aaa006fa6e470ffebb264
Review the Linux Kernel Commit Detail for the complete patch and technical implementation details.
Workarounds
- Unload the mcba_usb kernel module using modprobe -r mcba_usb if CAN functionality is not required
- Blacklist the mcba_usb module to prevent automatic loading by adding blacklist mcba_usb to /etc/modprobe.d/blacklist.conf
- Implement scheduled reboots during maintenance windows to clear accumulated memory leaks
- Use alternative CAN interfaces that don't rely on the vulnerable driver
# Configuration example
# Disable mcba_usb module to prevent memory leak
echo "blacklist mcba_usb" | sudo tee /etc/modprobe.d/mcba_usb-blacklist.conf
# Remove currently loaded module if present
sudo modprobe -r mcba_usb
# Verify module is not loaded
lsmod | grep mcba_usb
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
