CVE-2026-23031

In gscanopen(), the URBs for USB-in transfers are allocated, added to the parent->rxsubmitted anchor and submitted. In the complete callback gsusbreceivebulkcallback(), the URB is processed and resubmitted. In gscanclose() the URBs are freed by calling usbkillanchoredurbs(parent->rx_submitted).

However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in gscanclose().

Fix the memory leak by anchoring the URB in the gsusbreceivebulkcallback() to the parent->rx_submitted anchor.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23031.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

d08e973a77d128b25e01a08c34d89593fdf222da

Fixed

ec5ccc2af9e5b045671f3f604b57512feda8bcc5

Fixed

f905bcfa971edb89e398c98957838d8c6381c0c7

Fixed

08624b7206ddb9148eeffc2384ebda2c47b6d1e9

Fixed

9f669a38ca70839229b7ba0f851820850a2fe1f7

Fixed

7352e1d5932a0e777e39fa4b619801191f57e603

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23031.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.16.0

Fixed

6.1.162

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.122

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.67

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.7

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23031.json"