CVE-2025-68308
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-16

Last updated on: 2025-12-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: leaf: Fix potential infinite loop in command parsers The `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback` functions contain logic to zero-length commands. These commands are used to align data to the USB endpoint's wMaxPacketSize boundary. The driver attempts to skip these placeholders by aligning the buffer position `pos` to the next packet boundary using `round_up()` function. However, if zero-length command is found exactly on a packet boundary (i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up` function will return the unchanged value of `pos`. This prevents `pos` to be increased, causing an infinite loop in the parsing logic. This patch fixes this in the function by using `pos + 1` instead. This ensures that even if `pos` is on a boundary, the calculation is based on `pos + 1`, forcing `round_up()` to always return the next aligned boundary.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68308
EUVD
EUVD-2025-203772
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kvaser kvaser_usb *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is in the Linux kernel's kvaser_usb driver, specifically in the command parsers of the kvaser_usb_leaf_wait_cmd() and kvaser_usb_leaf_read_bulk_callback functions. The issue arises when zero-length commands, which are used to align data to the USB endpoint's packet size boundary, occur exactly on a packet boundary. The driver uses a round_up() function to skip these placeholders by aligning the buffer position to the next packet boundary. However, if the position is exactly on the boundary, round_up() returns the same value, causing the position not to advance and resulting in an infinite loop in the parsing logic. The fix involves adjusting the calculation to use pos + 1, ensuring the position always moves forward and preventing the infinite loop.

Impact Analysis

This vulnerability can cause the kvaser_usb driver to enter an infinite loop when processing certain USB commands, potentially leading to a denial of service condition where the driver or system becomes unresponsive or stuck while handling USB data from Kvaser devices.

Mitigation Strategies

Update the Linux kernel to a version that includes the patch fixing the infinite loop in the kvaser_usb driver. The patch modifies the command parsing logic to prevent the infinite loop by adjusting the buffer position calculation. Until the update is applied, avoid using the affected kvaser_usb driver to prevent triggering the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68308. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart