CVE-2026-23347 Overview
A memory leak vulnerability has been identified in the Linux kernel's CAN USB f81604 driver. The vulnerability exists in the read bulk callback function where the URB (USB Request Block) is not properly anchored before submission. When using the anchor pattern for URB management, the URB must be anchored before submitting it; otherwise, it could be leaked if usb_kill_anchored_urbs() is called. While this logic is correctly implemented elsewhere in the driver, the read bulk callback was missing this critical step.
Critical Impact
Systems using the f81604 CAN-to-USB adapter may experience memory leaks that could lead to resource exhaustion and potential denial of service conditions when the affected USB driver handles read bulk callbacks.
Affected Products
- Linux kernel with f81604 CAN USB driver
- Systems using Fintek F81604 CAN-to-USB adapters
- Linux distributions with affected kernel versions
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23347 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23347
Vulnerability Analysis
This vulnerability is a Memory Leak issue within the Linux kernel's USB subsystem, specifically affecting the f81604 CAN (Controller Area Network) driver. The f81604 driver manages Fintek CAN-to-USB adapters, which are commonly used in industrial control systems, automotive diagnostics, and embedded development environments.
The core issue stems from improper URB (USB Request Block) lifecycle management. In the Linux USB subsystem, URBs are used to transfer data between the kernel and USB devices. The anchor pattern is a mechanism that allows the kernel to track and manage groups of URBs, enabling operations like killing all pending URBs when a device is disconnected or during error recovery.
When a URB is submitted without being anchored first, a race condition can occur. If usb_kill_anchored_urbs() is called between the URB allocation and its submission, the URB will not be properly cleaned up because it was never added to the anchor list. This results in the URB remaining allocated in memory indefinitely, causing a memory leak.
Root Cause
The root cause is an incorrect ordering of operations in the read bulk callback function. The proper sequence should be: (1) allocate URB, (2) anchor URB to the anchor list, (3) submit URB. However, the vulnerable code path in the read bulk callback was submitting the URB before anchoring it, violating the anchor pattern contract. This inconsistency existed only in the read bulk callback while other code paths in the same driver correctly implemented the anchor-before-submit pattern.
Attack Vector
The attack vector for this vulnerability is primarily local, requiring physical access to connect a USB device or the ability to trigger USB device events. An attacker with local access could potentially:
- Repeatedly trigger the read bulk callback by sending CAN traffic through a connected f81604 device
- Cause usb_kill_anchored_urbs() to be invoked through device disconnection or error injection
- Accumulate memory leaks over time, eventually leading to system resource exhaustion
The vulnerability is described as requiring specific conditions to trigger, involving the timing between URB submission and anchor operations. In practical terms, exploitation would require sustained interaction with the affected USB device to accumulate enough leaked memory to impact system stability.
Detection Methods for CVE-2026-23347
Indicators of Compromise
- Gradual memory consumption increase on systems with f81604 CAN USB adapters connected
- Kernel memory allocation warnings or out-of-memory conditions in systems using CAN interfaces
- Abnormal USB subsystem behavior or URB-related kernel log messages
Detection Strategies
- Monitor kernel memory allocations in the USB subsystem using tools like kmemleak
- Review system logs for URB-related warnings or memory allocation failures
- Track memory usage patterns on systems with f81604 devices during CAN traffic processing
Monitoring Recommendations
- Implement memory usage monitoring on systems using CAN-to-USB adapters
- Set alerts for gradual memory increases that don't correlate with normal workload patterns
- Monitor /proc/meminfo and /proc/slabinfo for USB-related memory allocations
How to Mitigate CVE-2026-23347
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- Disconnect f81604 CAN USB adapters from critical systems until patched
- Monitor affected systems for signs of memory exhaustion
Patch Information
Multiple kernel commits have been released to address this vulnerability. The fix ensures that URBs are properly anchored before submission in the read bulk callback, consistent with the pattern used elsewhere in the driver. Patches are available through the official kernel git repository:
- Kernel Commit 54ee7430
- Kernel Commit 7724645c
- Kernel Commit 952caa5d
- Kernel Commit c001214e
- Kernel Commit f6d80b10
Workarounds
- Unload the f81604 kernel module when not actively required using modprobe -r f81604
- Implement periodic system reboots on affected systems to clear accumulated memory leaks
- Use alternative CAN interfaces that don't rely on the affected f81604 driver if available
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
