SUSE fixes Linux kernel memory leaks in USB gadget EEM and DVB-USB m920x drivers
SUSE published fixes for two Linux kernel memory-leak vulnerabilities affecting supported enterprise and community distributions: CVE-2025-68289 in the USB gadget EEM component and CVE-2023-54266 in the media subsystem's dvb-usb m920x driver. The first flaw occurs in f_eem's eem_unwrap path, where inadequate handling of usb_ep_queue failures could leave allocated resources unreleased; SUSE rated it moderate with a CVSS v3.1 score of 5.5. The second issue affects m920x_i2c_xfer(), where an error returned by m920x_read() could trigger a memory leak; SUSE also rated that flaw moderate, assigning CVSS v3.1 4.7 and CVSS v4.0 5.7.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
SUSE updates CVE-2023-54266 page
The SUSE CVE page for CVE-2023-54266 indicates it was last modified on 2026-06-25, reflecting an update to the vendor's vulnerability record.
SUSE publishes fixes for CVE-2025-68289 across multiple products
SUSE reports that CVE-2025-68289 was resolved by improving error handling in the Linux kernel USB gadget EEM component so allocated resources are freed when usb_ep_queue fails, and says fixes were released in multiple advisories affecting SUSE Linux Enterprise, SUSE Linux Micro, and openSUSE products.
SUSE publishes fixes for CVE-2023-54266 across product lines
SUSE states that CVE-2023-54266 was resolved and that multiple security advisories were published in January through March 2026 for supported SUSE Linux Enterprise, SUSE Micro, openSUSE Leap, and cloud image products.
CVE-2023-54266 page created by SUSE
SUSE's CVE page for CVE-2023-54266 states that the entry was created on 2025-12-30 for a Linux kernel memory leak vulnerability in the dvb-usb m920x driver.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
1255155 - (CVE-2025-68289) VUL-0: CVE-2025-68289: kernel: usb: gadget: f_eem: Fix memory leak in eem_unwrap
bugzilla.suse.com
Open sourceCVE-2025-68289 Common Vulnerabilities and Exposures | SUSE
suse.com
Open sourceCVE-2023-54266 Common Vulnerabilities and Exposures | SUSE
suse.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
SUSE fixes Linux kernel CAN USB driver URB memory leaks
SUSE has released fixes for two Linux kernel vulnerabilities affecting CAN USB drivers: **CVE-2026-23080** in `mcba_usb` and **CVE-2026-23108** in `usb_8dev`. In both cases, a URB memory leak occurs in the drivers' bulk-read completion callbacks because completed USB receive URBs are unanchored by the USB framework before the callback executes, preventing `usb_kill_anchored_urbs()` from freeing them during device shutdown. SUSE rates both flaws as **moderate** severity, with impact primarily or exclusively tied to **availability**. The fixes re-anchor the completed URB to `priv->rx_submitted` inside `mcba_usb_read_bulk_callback()` and `usb_8dev_read_bulk_callback()` so cleanup works correctly during device close and shutdown. SUSE says patches have been shipped across supported product lines including **SLES 15 SP7**, **SLES 16.0**, **SUSE Linux Micro 6.x**, **SLES for SAP**, and **openSUSE Leap 16.0**, while some older, LTSS, end-of-life, or unsupported products remain affected or will not receive updates. The vendor also linked both issues to upstream stable kernel fixes and noted they are similar to an earlier `gs_usb` URB leak remediation.
Jun 4, 2026
SUSE fixes Linux kernel flaws causing hangs and resource leaks
SUSE published fixes for two Linux kernel vulnerabilities affecting multiple enterprise and micro Linux products. **CVE-2026-23168** impacts the kernel's flexible proportions subsystem, where a race condition between a softirq timer path and a hardirq path can leave `read_seqcount_begin()` spinning on an odd sequence value, creating a deadlock-like hang. The issue is particularly relevant in configurations that limit writeout throughput on backing device interfaces, a setup described as uncommon generally but more typical for **FUSE** BDIs. SUSE also addressed **CVE-2026-31400** in the kernel **sunrpc** subsystem, where a `cache_request` leak in `cache_release()` can occur if a reader closes its file descriptor during a partial read. That condition can decrement the reader count without triggering the cleanup needed to dequeue and free the request when `CACHE_PENDING` is clear, creating a local low-privilege denial-of-service risk through resource exhaustion. SUSE rated CVE-2026-31400 as moderate severity and issued advisories and package updates across **SUSE Linux Enterprise**, **SUSE Linux Micro**, and **openSUSE Leap**, while some branches remain unaffected, unsupported, in progress, or still listed as affected depending on product lifecycle.
Jun 4, 2026
Linux Kernel cdns3 USB Gadget Use-After-Free Patched Across SUSE Products
SUSE disclosed and remediated **CVE-2025-40314**, a Linux kernel use-after-free flaw in the `usb/cdns3` gadget code that can be triggered during failed initialization and shutdown of the `cdnsp` gadget. The bug stems from freeing the gadget structure before its endpoints, leaving dangling pointers in the endpoint list and causing unsafe memory access when those endpoints are later released. SUSE rated the issue **moderate severity**, with a **CVSS v3.1 score of 6.1** and **CVSS v4.0 score of 6.9**, and said exploitation requires **local access with low privileges**. The vendor said the fix changes the teardown sequence by splitting `usb_del_gadget_udc()` into separate delete and put operations so endpoints are freed before the final gadget release through `usb_put_gadget()`. SUSE shipped patches through multiple 2026 advisories affecting **SLES**, **SLE Micro**, **SUSE Linux Micro**, **openSUSE Leap**, public cloud images, SAP images, and related kernel update streams, while noting that some older or unsupported product lines remain unfixed because of lifecycle status. Tracking references include SUSE Bugzilla, CVE records, stable kernel commits, and upstream kernel documentation.
Jun 27, 2026