CVE-2026-23108 Overview
A memory leak vulnerability has been identified in the Linux kernel's USB-8dev CAN (Controller Area Network) driver. The vulnerability exists in the usb_8dev_read_bulk_callback() function, where USB Request Blocks (URBs) for USB-in transfers are not properly anchored after completion, leading to memory leakage when the device is closed.
Critical Impact
Systems using the USB-8dev CAN interface may experience memory exhaustion over time due to improperly released URBs, potentially leading to system instability or denial of service conditions.
Affected Products
- Linux kernel with USB-8dev CAN driver enabled
- Systems utilizing USB-8dev CAN interfaces for Controller Area Network communications
- Industrial and automotive systems relying on CAN bus communication via USB-8dev adapters
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-23108 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-23108
Vulnerability Analysis
This memory leak vulnerability occurs in the USB-8dev CAN driver's bulk read callback handling. The issue is rooted in how URBs (USB Request Blocks) are managed throughout their lifecycle in the driver.
When usb_8dev_open() is called, it invokes usb_8dev_start() which allocates URBs for USB-in transfers. These URBs are added to the priv->rx_submitted anchor and submitted for processing. During normal operation, the usb_8dev_read_bulk_callback() function processes completed URBs and resubmits them for additional data reception.
The critical flaw exists because the USB framework unanchors URBs before invoking the completion callback. This means that once an in-URB has been completed, it is no longer attached to the priv->rx_submitted anchor. When usb_8dev_close() is called, which triggers unlink_all_urbs(), the function calls usb_kill_anchored_urbs(&priv->rx_submitted) to free URBs. However, since completed URBs are already unanchored, they are never released, resulting in a memory leak.
This vulnerability is similar to a previously addressed issue in the gs_usb driver (commit 7352e1d5932a), indicating this is a pattern-based flaw across USB CAN drivers.
Root Cause
The root cause is the failure to re-anchor URBs in the usb_8dev_read_bulk_callback() function after the USB framework unanchors them upon completion. The driver incorrectly assumes that URBs remain anchored throughout their lifecycle, but the USB subsystem removes them from the anchor before the completion callback is executed.
Attack Vector
While this vulnerability does not directly enable remote code execution, it can be exploited to cause denial of service through memory exhaustion. An attacker with physical access to a system with a USB-8dev CAN interface could continuously trigger USB bulk transfers, causing URBs to leak memory with each completion cycle. Over extended operation periods, this could exhaust system memory resources, leading to system instability or crashes.
The vulnerability requires local access and affects systems where the USB-8dev CAN driver is actively in use for CAN bus communications.
Detection Methods for CVE-2026-23108
Indicators of Compromise
- Gradual increase in kernel memory usage on systems with active USB-8dev CAN interfaces
- Memory allocation warnings or out-of-memory (OOM) conditions over extended operation periods
- Unusual system slowdowns correlated with CAN bus activity
Detection Strategies
- Monitor kernel memory allocations using tools like slabtop or /proc/slabinfo for URB-related allocations
- Track memory consumption patterns on systems utilizing USB-8dev CAN devices
- Review kernel logs for memory pressure warnings or OOM killer activity
- Use kernel memory debugging tools (KASAN, kmemleak) to detect leaked URB objects
Monitoring Recommendations
- Implement continuous memory monitoring on systems with USB CAN interfaces
- Set up alerting thresholds for abnormal memory growth patterns
- Deploy SentinelOne Singularity platform for kernel-level visibility and anomaly detection
- Periodically audit systems running the affected driver for memory usage trends
How to Mitigate CVE-2026-23108
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the URB anchoring fix
- Restart systems after applying kernel updates to ensure the fix takes effect
- Monitor affected systems for memory usage until patches can be applied
- Consider temporarily disabling USB-8dev CAN interfaces on critical systems if patches are not immediately available
Patch Information
The fix involves properly anchoring URBs in the usb_8dev_read_bulk_callback() function to the priv->rx_submitted anchor. This ensures that all URBs are tracked and properly released when usb_kill_anchored_urbs() is called during device close.
Multiple kernel patches have been released to address this vulnerability:
- Kernel Git Commit 07e9373739c6
- Kernel Git Commit 59ff56992bba
- Kernel Git Commit ea4a98e92416
- Kernel Git Commit f7a980b3b8f8
Workarounds
- Periodically restart systems using USB-8dev CAN interfaces to reclaim leaked memory
- Implement memory monitoring scripts to alert when memory usage exceeds defined thresholds
- Consider using alternative CAN interfaces if the USB-8dev driver cannot be updated
- Limit the operational duration of affected systems until patching is complete
# Check current kernel version and USB-8dev driver status
uname -r
lsmod | grep usb_8dev
# Monitor memory usage related to USB subsystem
cat /proc/slabinfo | grep urb
# Restart USB-8dev interface to temporarily free leaked URBs
modprobe -r usb_8dev
modprobe usb_8dev
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
