Skip to main content

Linux EUVDEUVD-2026-15248

| CVE-2026-23307 MEDIUM
2026-03-25 Linux GHSA-hg9v-crxc-wx3j
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 28, 2026 - 14:37 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15248
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message

When looking at the data in a USB urb, the actual_length is the size of the buffer passed to the driver, not the transfer_buffer_length which is set by the driver as the max size of the buffer.

When parsing the messages in ems_usb_read_bulk_callback() properly check the size both at the beginning of parsing the message to make sure it is big enough for the expected structure, and at the end of the message to make sure we don't overflow past the end of the buffer for the next message.

AnalysisAI

A buffer overflow vulnerability exists in the Linux kernel's EMS USB CAN driver (ems_usb) in the ems_usb_read_bulk_callback() function, where the driver fails to properly validate USB message lengths before parsing and copying data. An attacker with the ability to supply a malicious USB device or intercept USB communications could trigger a buffer overflow by providing specially crafted messages that exceed the expected message boundaries, potentially leading to kernel memory corruption, denial of service, or privilege escalation. No CVSS score, EPSS risk rating, or active exploitation data (KEV status) is currently available, though multiple stable kernel branches have received patches indicating vendor awareness of the issue's severity.

Technical ContextAI

The vulnerability resides in the EMS USB CAN bus driver for the Linux kernel (affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), specifically in the USB bulk callback handler responsible for parsing incoming CAN messages from EMS USB devices. The root cause is a length validation flaw classified under buffer overflow (CWE-120 or related overflow categories): the driver incorrectly references transfer_buffer_length (the maximum allocated buffer size set by the driver) instead of actual_length (the actual number of bytes received from the USB device) when validating message boundaries. During message parsing in ems_usb_read_bulk_callback(), the code fails to perform bounds checks both at the start of each message structure (to ensure sufficient data is available) and at the end (to prevent reading beyond the received data into adjacent memory), creating conditions for out-of-bounds memory access within kernel space.

RemediationAI

Users should update their Linux kernel to a version that includes the patches referenced in the git commits (c703bbf8e9b4947e111c88d2ed09236a6772a471 and related). This typically means upgrading to the latest stable kernel release or applying backported security patches from your distribution's kernel maintainers (e.g., via apt update && apt upgrade on Debian/Ubuntu systems, or yum update on RHEL/CentOS systems). Consult your distribution's security advisories and the upstream Linux kernel repository at https://git.kernel.org/stable/ for the specific kernel version containing these patches. Until patching is feasible, mitigate risk by restricting physical USB port access on systems running vulnerable kernels, disabling USB CAN drivers if not in use via kernel module blacklisting, and limiting untrusted USB device connections. For embedded and automotive systems using CAN interfaces, prioritize kernel updates to the latest LTS (Long Term Support) release.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15248 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy