CVE-2026-23307 Linux CVE debrief

Who should care

Organizations running Linux systems with EMS USB CAN bus interfaces, particularly in industrial control, automotive, and embedded systems environments. System administrators maintaining Linux kernels prior to the patched versions in affected branches.

Technical summary

The ems_usb_read_bulk_callback() function in drivers/net/can/usb/ems_usb.c incorrectly validates message lengths using transfer_buffer_length rather than actual_length from the USB urb structure. This causes the parser to potentially read beyond the actual received data when processing multiple messages in a bulk transfer. The fix adds proper bounds checking at both message start (ensuring sufficient data for the expected structure) and message end (preventing overflow into subsequent messages).

Defensive priority

medium

Recommended defensive actions

• Apply the appropriate kernel patch for your Linux distribution's stable branch: 5.10.253+, 5.15.203+, 6.1.167+, 6.6.130+, 6.12.77+, 6.18.17+, 6.19.7+, or later versions
• Update to a patched kernel version provided by your Linux distribution vendor
• If immediate patching is not possible, consider restricting physical access to systems with EMS USB CAN devices attached, as the attack requires local access
• Monitor kernel logs for unusual activity related to USB CAN device operations

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The issue was resolved by correcting the length check in ems_usb_read_bulk_callback() to use actual_length instead of transfer_buffer_length. Multiple kernel stable branch patches are available.

Official resources