CVE-2026-23298

EUVD-2026-15233

25.03.2026, 11:16

In the Linux kernel, the following vulnerability has been resolved:

can: ucan: Fix infinite loop from zero-length messages

If a broken ucan device gets a message with the message length field set
to 0, then the driver will loop for forever in
ucan_read_bulk_callback(), hanging the system.  If the length is 0, just
skip the message and go on to the next one.

This has been fixed in the kvaser_usb driver in the past in commit
0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in
command parsers"), so there must be some broken devices out there like
this somewhere.

Infinite Loop

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	4.19 ≤ 𝑥 < 5.10.253
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.203
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.167
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.130
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.77
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.17
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.7
linux	linux_kernel	7.0:rc1
linux	linux_kernel	7.0:rc2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.174-1 fixed
bullseye	vulnerable
bullseye (security)	5.10.257-1 fixed
forky	7.0.12-2 fixed
sid	7.0.13-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.94-1 fixed

linux-6.1

bullseye (security)

6.1.174-1~deb11u1

fixed

openSUSE / SLES Releases

openSUSE Product

Release

kernel-64kb

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1 fixed

kernel-azure

suse enterprise sap 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1 fixed

kernel-default

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1 fixed

kernel-default-base

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1.150700.17.33.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1.150700.17.33.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1.150700.17.33.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1 fixed

kernel-source

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.55.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.55.1 fixed

Azure Linux Releases

Azure Package

Release

kernel

Azure Linux 3.0

0:6.6.130.1-1.azl3

fixed

Common Weakness Enumeration

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

References

https://git.kernel.org/stable/c/13b646eec3ba1131180803f5aaf1fee23540ad8f

https://git.kernel.org/stable/c/1e446fd0582ad8be9f6dafb115fc2e7245f9bea7

https://git.kernel.org/stable/c/aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588

https://git.kernel.org/stable/c/ab6f075492d37368b4c7b0df7f7fdc2b666887fc

https://git.kernel.org/stable/c/bd85f21a6219aeae4389d700c54f1799f4b814e0

https://git.kernel.org/stable/c/c7bc62be6c1a60bb21301692009590b1ffda91d9

https://git.kernel.org/stable/c/ca07d3c6eef14d34e6fdeefe55058db045be29dc

https://git.kernel.org/stable/c/e7bb6e0606b5f233531aaaad9542d69fbb792115