CVE-2026-23472
Analyzed Analyzed - Analysis Complete
Infinite Loop Vulnerability in Linux Kernel Serial Driver

Publication date: 2026-04-03

Last updated on: 2026-05-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN uart_write_room() and uart_write() behave inconsistently when xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were never properly initialized): - uart_write_room() returns kfifo_avail() which can be > 0 - uart_write() checks xmit_buf and returns 0 if NULL This inconsistency causes an infinite loop in drivers that rely on tty_write_room() to determine if they can write: while (tty_write_room(tty) > 0) { written = tty->ops->write(...); // written is always 0, loop never exits } For example, caif_serial's handle_tx() enters an infinite loop when used with PORT_UNKNOWN serial ports, causing system hangs. Fix by making uart_write_room() also check xmit_buf and return 0 if it's NULL, consistent with uart_write(). Reproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23472
EUVD
EUVD-2026-18745
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 2.6.12.1 (inc) to 6.18.20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's serial core, specifically in the handle_tx() function for PORT_UNKNOWN serial ports. The issue arises because two functions, uart_write_room() and uart_write(), behave inconsistently when the transmit buffer (xmit_buf) is NULL, which happens for PORT_UNKNOWN ports that were never properly initialized.

uart_write_room() returns a positive value (kfifo_avail()) indicating there is room to write, while uart_write() returns 0 if xmit_buf is NULL. Drivers relying on tty_write_room() to check if they can write enter an infinite loop because tty_write_room() indicates space is available, but writing never progresses as uart_write() returns 0.

An example is the caif_serial driver, whose handle_tx() function can enter an infinite loop when used with PORT_UNKNOWN serial ports, causing the system to hang. The fix involves making uart_write_room() also check if xmit_buf is NULL and return 0 in that case, ensuring consistent behavior with uart_write().

Impact Analysis

This vulnerability can cause system hangs due to infinite loops in drivers that rely on tty_write_room() to determine if they can write data. Specifically, if a driver like caif_serial uses PORT_UNKNOWN serial ports that were never properly initialized, its handle_tx() function may enter an infinite loop, causing the system to become unresponsive.

Detection Guidance

This vulnerability causes an infinite loop in the handle_tx() function for PORT_UNKNOWN serial ports, which can lead to system hangs. Detection involves monitoring for symptoms such as system hangs or processes stuck in infinite loops related to serial port communication.

Since the issue arises when uart_write_room() returns a positive value but uart_write() returns zero due to xmit_buf being NULL, you can attempt to identify affected drivers or ports by checking for serial ports with PORT_UNKNOWN status or uninitialized xmit_buf buffers.

No specific commands are provided in the available information. However, monitoring system logs for serial driver errors or hangs, and using debugging tools like 'strace' or 'gdb' to trace the handle_tx() function behavior on serial ports may help detect the issue.

Mitigation Strategies

The vulnerability is fixed by updating the Linux kernel to a version where uart_write_room() checks if xmit_buf is NULL and returns 0 accordingly, preventing the infinite loop.

Immediate mitigation steps include:

  • Update the Linux kernel to the patched version that includes the fix for this issue.
  • Avoid using or initializing serial ports with PORT_UNKNOWN status until the fix is applied.
  • Monitor systems for symptoms of hangs related to serial port communication and restart affected services or systems if necessary.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23472. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart