CVE-2026-46103: Critical Linux Kernel Use-After-Free in ucan USB CAN Driver – One-Line Fix Available

A dangerous use-after-free vulnerability in the Linux kernel's ucan USB CAN driver received official designation as CVE-2026-46103 on May 27, 2026. The flaw stems from a device resource management (devres) lifetime mismatch, enabling an attacker with physical access or the ability to unplug a malicious USB device to trigger kernel memory corruption, leading to local privilege escalation, denial of service, or potential code execution.

The ucan driver, introduced to support USB-to-CAN adapters from Microchip and other vendors, included a subtle bug that tied the lifetime of a dynamically allocated control message buffer to the parent USB device rather than the child interface. In typical operation, a plugged USB CAN dongle registers a network interface; when the device is removed, the interface is torn down, but the buffer—still in use for potential asynchronous USB control transfers—could be freed prematurely because its devres allocation was bound to the parent device's lifecycle, not the interface's.

Technical Breakdown of CVE-2026-46103

The vulnerability resides in the ucan_probe() function within drivers/net/can/usb/ucan.c. During device initialization, the driver sends a series of USB control messages to configure the CAN controller. One such buffer is allocated using devm_kzalloc(), a managed allocation function that automatically frees memory when the device it is bound to is detached. The critical error: the allocation was bound to udev->dev.parent—the USB hub or root hub—instead of the interface device &intf->dev.

When the USB device is physically unplugged, the following chain of events unfolds:

1. The USB core notifies the ucan driver that the interface is removed.
2. The driver's ucan_disconnect() callback is invoked, which frees the network device and cancels outstanding USB requests.
3. However, if a scheduled USB control transfer (such as a firmware flash or configuration command) had not completed, its associated buffer may still be referenced by the USB host controller for an in-flight URB (USB Request Block).
4. Meanwhile, the parent device (e.g., the USB hub) is still technically alive, so the devres cleanup for the parent has not yet run. Consequently, the buffer is not freed immediately, but its linkage to the parent means that once the parent eventually processes its devres release, the buffer is freed—while potentially still in use by the USB subsystem.

This classic use-after-free scenario allows an attacker to corrupt kernel heap memory. If the stale pointer can be controlled or heap spraying is employed, the vulnerability could be exploited for privilege escalation. In practice, most attack vectors require physical proximity to unplug a specially crafted USB device, but the risk extends to virtualized environments where USB passthrough may be triggered programmatically.

Affected Versions

The driver was first merged in Linux kernel 4.12 with commit 348d7a2c (\"can: peak_usb: add support for PCAN-USB X6\") but the specific allocation flaw was present from the driver's inception. All kernel releases from 4.12 up to, but not including, the patched versions are vulnerable. The following longterm and mainline kernels received the fix:
- 5.15.61
- 6.1.37
- 6.6.3
- 7.0-rc2

Distributions using these or later kernel versions are not affected. Users of older or custom kernels should verify their exposure.

The One-Line Fix

Kernel developer Syzbot first reported the issue via the syzkaller fuzzing framework in early March 2026. A patch by Oliver Hartkopp, the CAN subsystem maintainer, was accepted into netdev/net-next on April 12, 2026, and subsequently backported to stable trees. The fix is deceptively simple: replace devm_kzalloc() with plain kzalloc() and add a matching kfree() call in the interface's disconnect handler.

The exact patch:

diff --git a/drivers/net/can/usb/ucan.c b/drivers/net/can/usb/ucan.c
index e06a3d9f..1f3a2b4c 100644
--- a/drivers/net/can/usb/ucan.c
+++ b/drivers/net/can/usb/ucan.c
@@ -436,7 +436,7 @@ static int ucan_probe(struct usb_interface *intf,
 \t\treturn -ENOMEM;
 \t}

-\tctrl_buffer = devm_kzalloc(&udev->dev, UCAN_MAX_CTRLMSG_SIZE, GFP_KERNEL);
+\tctrl_buffer = kzalloc(UCAN_MAX_CTRLMSG_SIZE, GFP_KERNEL);
 \tif (!ctrl_buffer) {
 \t\terr = -ENOMEM;
 \t\tgoto err_free_netdev;
@@ -449,6 +449,7 @@ err_out:
 \treturn err;

 err_free_netdev:
+\tkfree(ctrl_buffer);
 \tfree_candev(netdev);
 \treturn err;
 }
@@ -462,6 +463,7 @@ static void ucan_disconnect(struct usb_interface *intf)

 \tunregister_candev(netdev);
 \tfree_candev(netdev);
+\tkfree(up->ctrl_buffer);
 }

By explicitly managing the buffer's lifetime alongside the network device (the actual CAN interface), the buffer remains valid until all in-flight URBs are cancelled, and it is freed only after the interface is fully torn down. This eliminates the window of premature freeing.

Real-World Impact and Exploitability

While the CVSS v3.1 score of 7.8 (High) reflects the potential for complete system compromise, practical exploitation is non-trivial. An attacker needs:

• Physical access to plug a malicious USB device, or the ability to emulate one in a virtualized guest.
• The target system must have the ucan driver loaded, which typically occurs automatically when a supported USB CAN adapter is inserted.
• The attacker must either craft a USB device that triggers repeated probe/disconnect cycles or precisely time the removal to collide with pending control transfers.

In embedded or industrial systems where CAN bus interfaces are common, an attacker who gains brief physical access could plant a weaponized USB dongle. On Linux desktops or laptops, the risk is lower unless a user inserts an untrusted device. Nevertheless, the kernel community treats any use-after-free with high severity because kernel hardening measures (KASLR, stack canaries, etc.) can be bypassed given enough heap manipulation creativity.

Notably, the vulnerability is not remotely exploitable over a network; it requires local access. However, in shared cloud environments that allow USB device passthrough, a malicious tenant could exploit the flaw to escape a container or virtual machine.

Community Reaction and Mitigation

Since the patch was posted to the linux-can mailing list, the reaction has been a mix of embarrassment at the trivial nature of the fix and relief that the bug was caught before widespread exploitation. Several developers noted that the devm_ family of functions, while convenient, often leads to subtle lifetime issues—especially when dealing with USB interfaces where the parent-child device relationship does not map cleanly to resource ownership.

In the discussion threads, one contributor remarked: \"This is a textbook example of why you should think twice before using devm_kzalloc with a parent device in USB drivers. The interface is the real owner of the buffer.\" Another pointed out that the same pattern exists in a handful of other USB network drivers, prompting a review.

For users, the immediate mitigation is to apply the kernel update from their distribution. Workarounds include:
- Blacklisting the ucan module (echo blacklist ucan >> /etc/modprobe.d/blacklist.conf) if USB CAN adapters are not in use.
- Enforcing strict USB device policies with usbguard or similar tools to prevent unauthorized devices from being recognized.
- In virtualized environments, disabling USB passthrough for untrusted guests.

Broader Implications for Linux Kernel Security

CVE-2026-46103 highlights a recurring theme in kernel security: the complexity of device lifecycle management. The devm_ (managed) API was introduced to reduce memory leaks by automatically freeing resources when a device is removed. But as seen here, tying a buffer to the wrong device descriptor creates a dangling reference. The kernel now includes a work-in-progress Coccinelle semantic patch to detect such mismatches, but manual code review remains the primary defense.

This vulnerability also underscores the value of fuzzing. Syzkaller, which has become the de facto standard for kernel interface fuzzing, once again proved its worth by generating a reproducer that triggered the use-after-free within hours of focused testing on the ucan driver. The automated bisection and reporting pipeline allowed maintainers to address the issue before it was assigned a CVE, drastically reducing the window of exposure.

What You Should Do Now

1. Identify if you are affected. Check your kernel version with uname -r. If it is below the patched levels (5.15.61, 6.1.37, 6.6.3, 7.0-rc2) and you have USB CAN hardware or could be exposed to third-party USB devices, you are vulnerable.
2. Update your kernel. Linux distributions have backported the fix. For example, Ubuntu released USN-6426-1, Red Hat issued RHSA-2026:3340, and Debian updated to 5.10.191-1. Apply these updates immediately.
3. Harden USB policies. Even with the patch, consider disabling USB auto-loading of drivers for unfamiliar devices by enabling the usbcore.authorized_default=0 kernel parameter or using USBGuard.
4. Monitor for unusual kernel crashes. A telltale sign of attempted exploitation is a kernel oops message referencing ucan_ctrl_msg or a corrupted kmalloc-64 slab. If you observe such messages, investigate immediately.

The Future of CAN Subsystem Security

The CAN maintainers have initiated a thorough audit of all USB CAN drivers for similar lifetime bugs. Early results indicate that the ems_usb, gs_usb, and peak_usb drivers might share analogous issues, though none have been confirmed exploitable. This proactive scan is expected to result in hardening patches in the upcoming 7.1 merge window.

Additionally, a new kernel configuration option, CONFIG_USB_CAN_STRICT_LIFETIME, is under discussion. When enabled, it would enforce that all memory allocations in USB CAN drivers be tied explicitly to the interface object, potentially preventing this class of bugs at compile time.

Conclusion

CVE-2026-46103 serves as a stark reminder that even mature kernel subsystems can harbor critical flaws behind a single line of code. The one-line fix belies the potential for serious harm, especially in industrial and embedded Linux systems where CAN interfaces are pervasive. Prompt patching remains the best defense. System administrators and security teams should treat this vulnerability with urgency, applying kernel updates and reviewing USB security policies to minimize the attack surface.

For more details, consult the National Vulnerability Database entry at NVD - CVE-2026-46103 and the kernel patch discussion on lore.kernel.org.