CVE-2026-23298
Received Received - Intake
Infinite Loop Vulnerability in Linux Kernel UCAN Driver

Publication date: 2026-03-25

Last updated on: 2026-04-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: can: ucan: Fix infinite loop from zero-length messages If a broken ucan device gets a message with the message length field set to 0, then the driver will loop for forever in ucan_read_bulk_callback(), hanging the system. If the length is 0, just skip the message and go on to the next one. This has been fixed in the kvaser_usb driver in the past in commit 0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in command parsers"), so there must be some broken devices out there like this somewhere.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-18
Generated
2026-05-27
AI Q&A
2026-03-25
EPSS Evaluated
2026-05-26
NVD
CVE-2026-23298
EUVD
EUVD-2026-15233
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kvaser kvaser_usb *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by the ucan driver entering an infinite loop when receiving zero-length messages from broken ucan devices. To mitigate this, ensure your Linux kernel is updated with the fix that skips zero-length messages in ucan_read_bulk_callback().

If updating the kernel is not immediately possible, avoid using or disconnect any known broken ucan devices that might send zero-length messages, as these can cause the system to hang.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability occurs when a broken ucan device receives a message with a zero-length message field, causing the driver to enter an infinite loop and hang the system.

To detect this vulnerability on your system, you can monitor the behavior of the kvaser_usb driver and check for system hangs or unusual CPU usage related to ucan devices.

Since the issue is triggered by zero-length messages, you can attempt to capture CAN traffic and inspect message lengths to identify any zero-length messages being sent.

  • Use the 'candump' tool from the can-utils package to capture CAN messages: candump can0
  • Filter captured messages to check for zero-length frames, for example by parsing candump output or using custom scripts.
  • Monitor system logs (e.g., dmesg or journalctl) for any kernel messages or errors related to the kvaser_usb driver.
  • Check for system hangs or high CPU usage in processes related to CAN device drivers.

Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's ucan driver. When the driver receives a message with a length field set to zero from a broken ucan device, it enters an infinite loop inside the ucan_read_bulk_callback() function. This causes the system to hang because the driver continuously processes the zero-length message without progressing.

The issue has been fixed by modifying the driver to skip any messages with a zero length instead of processing them, preventing the infinite loop.


How can this vulnerability impact me? :

If exploited, this vulnerability can cause the affected system to hang or become unresponsive due to the infinite loop triggered by zero-length messages from broken ucan devices. This can lead to denial of service conditions, potentially disrupting normal operations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart