CVE-2026-23472
Infinite Loop Vulnerability in Linux Kernel Serial Driver
Publication date: 2026-04-03
Last updated on: 2026-04-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | kernel | * |
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's serial core, specifically in the handle_tx() function for PORT_UNKNOWN serial ports. The issue arises because two functions, uart_write_room() and uart_write(), behave inconsistently when the transmit buffer (xmit_buf) is NULL, which happens for PORT_UNKNOWN ports that were never properly initialized.
uart_write_room() returns a positive value (kfifo_avail()) indicating there is room to write, while uart_write() returns 0 if xmit_buf is NULL. Drivers relying on tty_write_room() to check if they can write enter an infinite loop because tty_write_room() indicates space is available, but writing never progresses as uart_write() returns 0.
An example is the caif_serial driver, whose handle_tx() function can enter an infinite loop when used with PORT_UNKNOWN serial ports, causing the system to hang. The fix involves making uart_write_room() also check if xmit_buf is NULL and return 0 in that case, ensuring consistent behavior with uart_write().
How can this vulnerability impact me? :
This vulnerability can cause system hangs due to infinite loops in drivers that rely on tty_write_room() to determine if they can write data. Specifically, if a driver like caif_serial uses PORT_UNKNOWN serial ports that were never properly initialized, its handle_tx() function may enter an infinite loop, causing the system to become unresponsive.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes an infinite loop in the handle_tx() function for PORT_UNKNOWN serial ports, which can lead to system hangs. Detection involves monitoring for symptoms such as system hangs or processes stuck in infinite loops related to serial port communication.
Since the issue arises when uart_write_room() returns a positive value but uart_write() returns zero due to xmit_buf being NULL, you can attempt to identify affected drivers or ports by checking for serial ports with PORT_UNKNOWN status or uninitialized xmit_buf buffers.
No specific commands are provided in the available information. However, monitoring system logs for serial driver errors or hangs, and using debugging tools like 'strace' or 'gdb' to trace the handle_tx() function behavior on serial ports may help detect the issue.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by updating the Linux kernel to a version where uart_write_room() checks if xmit_buf is NULL and returns 0 accordingly, preventing the infinite loop.
Immediate mitigation steps include:
- Update the Linux kernel to the patched version that includes the fix for this issue.
- Avoid using or initializing serial ports with PORT_UNKNOWN status until the fix is applied.
- Monitor systems for symptoms of hangs related to serial port communication and restart affected services or systems if necessary.