{"id":"CVE-2026-23061","summary":"can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn kvaser_usb_set_{,data_}bittiming() -\u003e kvaser_usb_setup_rx_urbs(), the\nURBs for USB-in transfers are allocated, added to the dev-\u003erx_submitted\nanchor and submitted. In the complete callback\nkvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In\nkvaser_usb_remove_interfaces() the URBs are freed by calling\nusb_kill_anchored_urbs(&dev-\u003erx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nkvaser_usb_read_bulk_callback() to the dev-\u003erx_submitted anchor.","aliases":["ECHO-f553-7fb2-8231"],"modified":"2026-04-21T02:27:23.905962433Z","published":"2026-02-04T16:07:43.626Z","related":["SUSE-SU-2026:0962-1","SUSE-SU-2026:1081-1","SUSE-SU-2026:20667-1","SUSE-SU-2026:20720-1","SUSE-SU-2026:20838-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","SUSE-SU-2026:20931-1","openSUSE-SU-2026:20416-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23061.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/248e8e1a125fa875158df521b30f2cc7e27eeeaa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3b1a593eab941c3f32417896cc7df564191f2482"},{"type":"WEB","url":"https://git.kernel.org/stable/c/40a3334ffda479c63e416e61ff086485e24401f7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7c308f7530bffafa994e0aa8dc651a312f4b9ff4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/94a7fc42e21c7d9d1c49778cd1db52de5df52a01"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c1b39fa24c140bc616f51fef4175c1743e2bb132"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d9d824582f2ec76459ffab449e9b05c7bc49645c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23061.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23061"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"080f40a6fa28dab299da7a652e444b1e2d9231e7"},{"fixed":"d9d824582f2ec76459ffab449e9b05c7bc49645c"},{"fixed":"40a3334ffda479c63e416e61ff086485e24401f7"},{"fixed":"c1b39fa24c140bc616f51fef4175c1743e2bb132"},{"fixed":"7c308f7530bffafa994e0aa8dc651a312f4b9ff4"},{"fixed":"94a7fc42e21c7d9d1c49778cd1db52de5df52a01"},{"fixed":"3b1a593eab941c3f32417896cc7df564191f2482"},{"fixed":"248e8e1a125fa875158df521b30f2cc7e27eeeaa"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23061.json"}}],"schema_version":"1.7.5"}