Bug 2435661 (CVE-2026-23031) - CVE-2026-23031 kernel: Linux kernel: Memory leak in gs_usb module can lead to denial of service via improper USB Request Block handling.
Summary: CVE-2026-23031 kernel: Linux kernel: Memory leak in gs_usb module can lead to...
Keywords:
Status: NEW
Alias: CVE-2026-23031
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-31 12:02 UTC by OSIDB Bzimport
Modified: 2026-02-02 14:55 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-31 12:02:19 UTC 
In the Linux kernel, the following vulnerability has been resolved:

can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak

In gs_can_open(), the URBs for USB-in transfers are allocated, added to the
parent->rx_submitted anchor and submitted. In the complete callback
gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In
gs_can_close() the URBs are freed by calling
usb_kill_anchored_urbs(parent->rx_submitted).

However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in gs_can_close().

Fix the memory leak by anchoring the URB in the
gs_usb_receive_bulk_callback() to the parent->rx_submitted anchor.
Comment 1 Alexander B 2026-02-02 09:37:32 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026013120-CVE-2026-23031-9e82@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.