CVE-2026-46103 Linux CVE debrief

Who should care

Organizations running Linux systems with USB CAN bus interfaces, particularly those with dynamic USB configurations, hot-plugging scenarios, or industrial/automotive applications using CAN over USB adapters.

Technical summary

The ucan USB CAN driver in the Linux kernel incorrectly tied device-managed resource (devres) lifetimes to the parent USB device rather than the USB interface. This caused control message buffers to persist when drivers unbound without physical disconnection, such as during probe deferral or configuration changes. The fix corrects the resource lifetime so buffers release on driver unbind, preventing memory leaks in dynamic USB configuration scenarios.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available for your distribution
• Monitor vendor security advisories for kernel package updates addressing CVE-2026-46103
• For systems using USB CAN devices, verify driver unbind/rebind operations complete without resource leaks after patching
• Review systems with frequent USB configuration changes or probe deferral scenarios for memory pressure indicators

Evidence notes

The CVE description and kernel commit references confirm this is a devres lifetime fix in the can/ucan USB driver. Multiple stable kernel commits are referenced, indicating backports to supported branches. The fix ensures control message buffers are released when the driver unbinds rather than persisting until physical disconnection.

Official resources