CVE-2026-23155 Overview
A vulnerability has been identified in the Linux kernel's CAN (Controller Area Network) subsystem, specifically within the gs_usb driver. The issue occurs in the gs_usb_receive_bulk_callback() function where an uninitialized pointer can be dereferenced during error handling. Following commit 79a6d1bfe114, when a URB (USB Request Block) resubmit fails, an info message is printed. However, in cases where a short read occurs before netdev has been assigned, the code attempts to dereference an undefined value, potentially leading to system instability or information disclosure.
Critical Impact
Dereferencing uninitialized memory in kernel space can lead to system crashes, kernel panics, or potentially expose sensitive memory contents.
Affected Products
- Linux kernel with gs_usb CAN driver enabled
- Systems utilizing Geschwister Schneider USB/CAN devices
- Embedded systems with CAN bus interfaces over USB
Discovery Timeline
- February 14, 2026 - CVE-2026-23155 published to NVD
- February 18, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23155
Vulnerability Analysis
The vulnerability resides in the USB bulk transfer callback handler for the gs_usb CAN driver. When processing incoming USB data, the driver's gs_usb_receive_bulk_callback() function handles the asynchronous completion of bulk transfers. The issue manifests during error conditions, specifically when a short read occurs before the network device pointer (netdev) has been properly initialized.
In the vulnerable code path, when usb_submit_urb() fails during a URB resubmit operation, the error handling code attempts to print an informational message that references the netdev variable. However, if a short read has occurred prior to netdev being assigned a valid value, the variable contains undefined memory contents. Dereferencing this uninitialized pointer can result in reading arbitrary memory locations, potentially causing kernel crashes or leaking sensitive kernel memory.
Root Cause
The root cause is an Uninitialized Memory Use vulnerability in the error handling path of the gs_usb_receive_bulk_callback() function. The netdev variable was not properly initialized to NULL before use, leaving it with an indeterminate value when the code path that assigns it is not executed. This violates safe coding practices where all pointers should be initialized to a known safe value before any potential use.
Attack Vector
The attack vector involves USB device interaction. An attacker with physical access to the system could potentially craft a malicious USB device that triggers the vulnerable code path by:
- Presenting itself as a Geschwister Schneider USB/CAN device
- Generating malformed USB bulk transfers that cause short reads
- Triggering URB resubmission failures through timing manipulation or malformed responses
While physical access is typically required, virtualized environments that pass through USB devices or systems with remote USB capabilities could potentially expand the attack surface. The vulnerability could lead to denial of service through kernel panics or potentially be combined with other vulnerabilities for information disclosure.
Detection Methods for CVE-2026-23155
Indicators of Compromise
- Unexpected kernel panics or oops messages referencing gs_usb_receive_bulk_callback
- System log entries showing USB bulk transfer errors for CAN devices
- Repeated connection/disconnection events from USB CAN interfaces
Detection Strategies
- Monitor kernel logs (dmesg) for error messages containing gs_usb or can driver references
- Enable kernel memory debugging options such as KASAN (Kernel Address Sanitizer) to detect uninitialized memory access
- Implement USB device auditing to track newly connected CAN devices
Monitoring Recommendations
- Configure alerting for kernel oops or panic events in system monitoring tools
- Review USB device connection logs for suspicious CAN adapter activity
- Deploy endpoint detection solutions that monitor kernel driver behavior
How to Mitigate CVE-2026-23155
Immediate Actions Required
- Apply the latest kernel patches from your Linux distribution
- If patches are not immediately available, consider disabling or unloading the gs_usb module if CAN functionality is not required
- Restrict physical USB access to trusted personnel and devices
Patch Information
The Linux kernel maintainers have released fixes across multiple stable kernel branches. The following commits address this vulnerability:
- Kernel Git Commit 494fc02
- Kernel Git Commit 713ba82
- Kernel Git Commit 8986cdf
- Kernel Git Commit 923379f
- Kernel Git Commit aed58a2
The fix initializes the netdev variable to NULL to prevent dereferencing undefined values and also improves error reporting by including the actual error value from failed URB resubmissions.
Workarounds
- Unload the gs_usb module using modprobe -r gs_usb if CAN functionality is not needed
- Blacklist the module by adding blacklist gs_usb to /etc/modprobe.d/blacklist.conf
- Implement USB device whitelisting through udev rules to prevent unauthorized CAN adapters from being recognized
# Configuration example
# Temporarily disable gs_usb module
sudo modprobe -r gs_usb
# Permanently blacklist the module (if CAN is not required)
echo "blacklist gs_usb" | sudo tee /etc/modprobe.d/blacklist-gs_usb.conf
# Verify the module is not loaded
lsmod | grep gs_usb
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
