CVE-2026-46103

MEDIUM

can: ucan: fix devres lifetime

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: can: ucan: fix devres lifetime USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the control message buffer lifetime so that it is released on driver unbind.

Scores

CVSS v3 5.5
EPSS 0.0011
EPSS Percentile 1.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-401
Status published
Products (27)
linux/Kernel 4.19.0 - 5.10.259linux
linux/Kernel 5.11.0 - 5.15.210linux
linux/Kernel 5.16.0 - 6.1.175linux
linux/Kernel 6.13.0 - 6.18.27linux
linux/Kernel 6.19.0 - 7.0.4linux
linux/Kernel 6.2.0 - 6.6.140linux
linux/Kernel 6.7.0 - 6.12.86linux
Linux/Linux < 4.19
Linux/Linux 4.19
Linux/Linux 5.10.259 - 5.10.*
... and 17 more
Published May 27, 2026
Tracked Since May 27, 2026