{ "threat_severity" : "Moderate", "public_date" : "2026-03-25T00:00:00Z", "bugzilla" : { "description" : "kernel: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message", "id" : "2451195", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451195" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-805", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ncan: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message\nWhen looking at the data in a USB urb, the actual_length is the size of\nthe buffer passed to the driver, not the transfer_buffer_length which is\nset by the driver as the max size of the buffer.\nWhen parsing the messages in ems_usb_read_bulk_callback() properly check\nthe size both at the beginning of parsing the message to make sure it is\nbig enough for the expected structure, and at the end of the message to\nmake sure we don't overflow past the end of the buffer for the next\nmessage.", "A flaw was found in the Linux kernel's ems_usb module. This vulnerability occurs because the system does not properly verify the length of messages it receives. An attacker could exploit this weakness by sending specially crafted messages, potentially causing the system to crash (Denial of Service) or, in some cases, execute unauthorized code." ], "statement" : "This flaw affects systems with EMS CPC-USB CAN adapters. The driver fails to properly validate message lengths when parsing USB URB data, potentially allowing buffer overflows. A malicious USB device could send crafted messages to trigger out-of-bounds reads or writes. Physical access to connect the USB device is required.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23307\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23307\nhttps://lore.kernel.org/linux-cve-announce/2026032528-CVE-2026-23307-60f2@gregkh/T" ], "name" : "CVE-2026-23307", "mitigation" : { "value" : "To mitigate this issue, prevent the ems_usb module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.", "lang" : "en:us" }, "csaw" : false }