In the Linux kernel, there is an information leak caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c
This was fixed for Fedora with the 5.3.11 stable kernel update.
At this time, it appears that the stack information leak would appear on the CANBUS. For interested parties this is not a 'traditional' network like ethernet but specifically used in car/boat/industrial style applications.
This would leak a system that -has- one of these usb devices attached to devices 'on' the canbus.
As the devices module will be auto-loaded when the USB CAN bus adapter is connected, its can be disabled by preventing the module from loading with the following instructions:
# echo "install peak_usb /bin/true" >> /etc/modprobe.d/disable-peak-usb-canbus.conf
The system will need to be restarted if the peak_usb module is already loaded. In most circumstances, the kernel modules will be unable to be unloaded while any CAN bus interfaces are active and the protocol is in use. If the system requires this module to work correctly, this mitigation may not be suitable. If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1796101]