CVE-2026-46103
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
In the Linux kernel, the can:ucan driver had a lifetime management issue where resources tied to the USB interface were not properly released upon driver unbind, causing memory leaks.
Risk Assessment
The risk involves memory leaks during driver unbind, which can lead to system performance degradation or memory exhaustion over time.
Recommendation
It is recommended to update the Linux kernel to a version containing this fix to ensure proper release of the control message buffer upon driver unbind.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: can: ucan: fix devres lifetime USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the control message buffer lifetime so that it is released on driver unbind.

