CVE-2026-23307Buffer Access with Incorrect Length Value in Linux

CWE-805Buffer Access with Incorrect Length Value8 documents7 sources
Severity
5.5MEDIUM
No vector
EPSS
0.0%
top 89.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
LinuxLinux KernelDebian Linux+1 more
Timeline
PublishedMar 25

Description

In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message When looking at the data in a USB urb, the actual_length is the size of the buffer passed to the driver, not the transfer_buffer_length which is set by the driver as the max size of the buffer. When parsing the messages in ems_usb_read_bulk_callback() properly check the size both at the beginning of parsing the message to make sure it is big enou

Affected Packages5 packages

Linuxlinux/linux_kernel2.6.326.1.167+4
Debianlinux/linux_kernel< 6.19.8-1
CVEListV5linux/linux702171adeed3607ee9603ec30ce081411e36ae42c703bbf8e9b4947e111c88d2ed09236a6772a471+6
debiandebian/linux< linux 6.19.8-1 (forky)

🔴Vulnerability Details

3
OSV
CVE-2026-23307: In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message W2026-03-25
OSV
can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message2026-03-25
GHSA
GHSA-hg9v-crxc-wx3j: In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message2026-03-25

📋Vendor Advisories

3
Red Hat
kernel: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message2026-03-25
Microsoft
can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message2026-03-10
Debian
CVE-2026-23307: linux - In the Linux kernel, the following vulnerability has been resolved: can: ems_us...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-23307 Impact, Exploitability, and Mitigation Steps | Wiz