CVE-2026-23298
Analyzed Analyzed - Analysis Complete
Infinite Loop Vulnerability in Linux Kernel UCAN Driver

Publication date: 2026-03-25

Last updated on: 2026-05-29

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: can: ucan: Fix infinite loop from zero-length messages If a broken ucan device gets a message with the message length field set to 0, then the driver will loop for forever in ucan_read_bulk_callback(), hanging the system. If the length is 0, just skip the message and go on to the next one. This has been fixed in the kvaser_usb driver in the past in commit 0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in command parsers"), so there must be some broken devices out there like this somewhere.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-05-29
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23298
EUVD
EUVD-2026-15233
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.77 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 4.19 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is caused by the ucan driver entering an infinite loop when receiving zero-length messages from broken ucan devices. To mitigate this, ensure your Linux kernel is updated with the fix that skips zero-length messages in ucan_read_bulk_callback().

If updating the kernel is not immediately possible, avoid using or disconnect any known broken ucan devices that might send zero-length messages, as these can cause the system to hang.

Executive Summary

This vulnerability exists in the Linux kernel's ucan driver. When the driver receives a message with a length field set to zero from a broken ucan device, it enters an infinite loop inside the ucan_read_bulk_callback() function. This causes the system to hang because the driver continuously processes the zero-length message without progressing.

The issue has been fixed by modifying the driver to skip any messages with a zero length instead of processing them, preventing the infinite loop.

Impact Analysis

If exploited, this vulnerability can cause the affected system to hang or become unresponsive due to the infinite loop triggered by zero-length messages from broken ucan devices. This can lead to denial of service conditions, potentially disrupting normal operations.

Detection Guidance

This vulnerability occurs when a broken ucan device receives a message with a zero-length message field, causing the driver to enter an infinite loop and hang the system.

To detect this vulnerability on your system, you can monitor the behavior of the kvaser_usb driver and check for system hangs or unusual CPU usage related to ucan devices.

Since the issue is triggered by zero-length messages, you can attempt to capture CAN traffic and inspect message lengths to identify any zero-length messages being sent.

  • Use the 'candump' tool from the can-utils package to capture CAN messages: candump can0
  • Filter captured messages to check for zero-length frames, for example by parsing candump output or using custom scripts.
  • Monitor system logs (e.g., dmesg or journalctl) for any kernel messages or errors related to the kvaser_usb driver.
  • Check for system hangs or high CPU usage in processes related to CAN device drivers.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23298. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart