CVE-2026-23324 Overview
A memory leak vulnerability has been identified in the Linux kernel's ETAS ES58X USB CAN (Controller Area Network) driver. The vulnerability exists in the read bulk callback function where USB Request Blocks (URBs) are not properly anchored before submission. When using the anchor pattern for URB management, failure to anchor the URB before calling usb_submit_urb() can result in memory leaks if usb_kill_anchored_urbs() is subsequently called.
Critical Impact
Local attackers with access to USB CAN devices could potentially trigger memory exhaustion conditions through improper URB handling in the etas_es58x driver, leading to system instability or denial of service.
Affected Products
- Linux Kernel (versions with etas_es58x USB CAN driver)
- Systems using ETAS ES581.4, ES582.1, or ES584.1 USB-to-CAN interfaces
- Industrial and automotive systems relying on CAN bus communication via USB adapters
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23324 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23324
Vulnerability Analysis
The etas_es58x driver implements USB communication for ETAS ES58X series CAN interfaces commonly used in automotive diagnostics and industrial control systems. The driver utilizes the URB (USB Request Block) anchor pattern, which is a standard Linux kernel mechanism for tracking and managing asynchronous USB operations.
The anchor pattern requires that URBs be anchored to an anchor list before submission. This ensures that when usb_kill_anchored_urbs() is called (typically during device disconnection or driver shutdown), all outstanding URBs can be properly cancelled and their memory released. In the vulnerable code path within the read bulk callback function, the URB was being submitted without first being anchored, violating this protocol.
This implementation inconsistency is particularly problematic because the anchoring logic was correctly implemented in other parts of the same driver, making this an oversight in the read bulk callback specifically.
Root Cause
The root cause is an incorrect ordering of operations in the read bulk callback function of the etas_es58x driver. The URB must be anchored using usb_anchor_urb() before being submitted with usb_submit_urb(). Without this anchoring step, the URB becomes untracked, and subsequent calls to usb_kill_anchored_urbs() will not include this URB, resulting in a memory leak.
The fix involves ensuring that usb_anchor_urb() is called on the URB before usb_submit_urb() is invoked in the read bulk callback, consistent with the implementation pattern used elsewhere in the driver.
Attack Vector
Exploitation of this vulnerability requires local access to a system with an ETAS ES58X USB CAN device connected. An attacker could potentially trigger repeated URB submissions through the read bulk callback while simultaneously causing conditions that invoke usb_kill_anchored_urbs(), such as device disconnection events.
The vulnerability could be exploited to cause memory exhaustion over time, leading to denial of service conditions. The attack surface is limited to systems with physical USB CAN hardware and appropriate driver modules loaded.
Detection Methods for CVE-2026-23324
Indicators of Compromise
- Unusual memory consumption growth associated with the etas_es58x kernel module
- Kernel memory allocation failures or OOM (Out of Memory) killer activity on systems with USB CAN devices
- Unexpected USB device disconnect/reconnect events paired with memory pressure indicators
Detection Strategies
- Monitor kernel memory allocation patterns using tools like slabtop or /proc/meminfo on systems running the etas_es58x driver
- Implement kernel tracing with ftrace or perf to monitor URB submission and anchoring operations in the driver
- Review system logs (dmesg, journalctl) for USB subsystem errors or memory allocation failures related to CAN interfaces
Monitoring Recommendations
- Deploy memory pressure monitoring on industrial systems using ETAS ES58X CAN interfaces
- Establish baseline memory usage for systems with the etas_es58x module loaded and alert on significant deviations
- Monitor USB device enumeration events to detect potential exploitation attempts involving rapid connect/disconnect cycles
How to Mitigate CVE-2026-23324
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix for the etas_es58x driver
- If patching is not immediately possible, consider unloading the etas_es58x module on non-essential systems
- Restrict physical access to USB ports on critical systems to prevent unauthorized device connections
Patch Information
The Linux kernel development team has released patches to address this vulnerability. Multiple stable kernel branches have received fixes that ensure proper URB anchoring in the read bulk callback function.
The following kernel commits contain the fix:
- Kernel Commit 18eee279e9b5
- Kernel Commit 2185ea6e4ebc
- Kernel Commit 5eaad4f76826
- Kernel Commit b878444519fa
- Kernel Commit b8f9ca882535
- Kernel Commit f6e90c113c92
Workarounds
- Temporarily blacklist the etas_es58x module by adding blacklist etas_es58x to /etc/modprobe.d/blacklist.conf if the CAN functionality is not required
- Implement USB device authorization controls to prevent unauthorized CAN adapters from being recognized
- Use alternative CAN interfaces that do not rely on the affected driver until patching is complete
# Configuration example
# Blacklist the vulnerable driver until patched kernel is deployed
echo "blacklist etas_es58x" | sudo tee /etc/modprobe.d/etas_es58x-blacklist.conf
# Unload the module if currently loaded
sudo modprobe -r etas_es58x
# Verify module is not loaded
lsmod | grep etas_es58x
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
