Skip to main content

Linux CVE-2026-23298

| EUVDEUVD-2026-15233 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-03-25 Linux GHSA-v7rc-q48q-f2p3
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
4.6 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 29, 2026 - 14:37 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15233
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:26 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

can: ucan: Fix infinite loop from zero-length messages

If a broken ucan device gets a message with the message length field set to 0, then the driver will loop for forever in ucan_read_bulk_callback(), hanging the system. If the length is 0, just skip the message and go on to the next one.

This has been fixed in the kvaser_usb driver in the past in commit 0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in command parsers"), so there must be some broken devices out there like this somewhere.

AnalysisAI

A denial-of-service vulnerability exists in the Linux kernel's ucan (CAN-over-USB) driver where malformed USB messages with a zero-length field cause an infinite loop in the ucan_read_bulk_callback() function, hanging the entire system. An attacker with physical access to a USB port can connect a malicious or compromised CAN device to trigger this condition, rendering the affected system unresponsive. While no CVSS or EPSS scores are available, the vulnerability is confirmed as patched across multiple stable kernel branches with six commits addressing the issue.

Technical ContextAI

The vulnerability resides in the Linux kernel's CAN (Controller Area Network) subsystem, specifically the ucan driver (USB CAN adapter driver) that handles bulk USB data transfers from CAN devices. The affected code path is the ucan_read_bulk_callback() function, which processes incoming USB bulk messages from CAN hardware. CAN is a vehicle bus standard commonly used in automotive and industrial applications, transmitted over USB adapters. The root cause is an improper input validation issue (CWE category) where the driver fails to validate that incoming message length fields are non-zero before entering a processing loop, causing an infinite loop condition. This follows a pattern previously fixed in the kvaser_usb driver (commit 0c73772cd2b8), indicating a known class of device firmware defects that generate malformed packets. The CPE cpe:2.3:a:linux:linux affects all versions of the Linux kernel without this specific patch.

RemediationAI

Update to a patched Linux kernel version containing any of the six commits listed in the references (commits are available at https://git.kernel.org/stable/c/[commit-hash]). For immediate deployment, check your distribution's security advisories and apply kernel updates marked as addressing CVE-2026-23298. Until patching is possible, restrict physical USB access to the system and implement device allowlisting policies if using ucan devices, preventing connection of untrusted CAN-over-USB hardware. For critical systems in automotive or industrial environments, validate that replacement USB CAN adapters come from trusted vendors and have undergone firmware validation to avoid the 'broken devices' condition referenced in the vulnerability description.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23298 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy