Description
In the Linux kernel, the following vulnerability has been resolved:

can: ucan: Fix infinite loop from zero-length messages

If a broken ucan device gets a message with the message length field set
to 0, then the driver will loop for forever in
ucan_read_bulk_callback(), hanging the system. If the length is 0, just
skip the message and go on to the next one.

This has been fixed in the kvaser_usb driver in the past in commit
0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in
command parsers"), so there must be some broken devices out there like
this somewhere.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

When a CAN device sends a message whose length field is zero, the Linux kernel’s ucan driver enters an infinite loop in ucan_read_bulk_callback(), causing the driver to spin forever and potentially hang the system. The flaw is due to insufficient validation of the message length, classifying it under CWE‑606.

Affected Systems

The vulnerability affects Linux systems that load the ucan module for USB CAN devices, especially those employing the kvaser_usb driver. Any kernel version released prior to the commit that introduced the fix is susceptible when a faulty or malicious CAN device is connected.

Risk and Exploitability

The CVSS base score of 5.5 indicates moderate severity, while an EPSS score below 1% signals a low chance of exploitation in the wild. The attack vector is local, requiring an attacker to plug a compromised or intentionally malformed CAN USB device into the system; it is not remotely reachable and is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on March 26, 2026 at 14:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the ucan infinite‑loop fix.
  • If the ucan driver is not required, disable or blacklist the module to remove the attack surface.
  • Ensure that any attached CAN USB devices are authenticated and have not been tampered with before connecting to the system.
  • Refrain from allowing unknown USB hardware that can provide CAN traffic to connect to the system.

Generated by OpenCVE AI on March 26, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: can: ucan: Fix infinite loop from zero-length messages If a broken ucan device gets a message with the message length field set to 0, then the driver will loop for forever in ucan_read_bulk_callback(), hanging the system. If the length is 0, just skip the message and go on to the next one. This has been fixed in the kvaser_usb driver in the past in commit 0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in command parsers"), so there must be some broken devices out there like this somewhere.
Title can: ucan: Fix infinite loop from zero-length messages
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:57:46.166Z

Reserved: 2026-01-13T15:37:45.993Z

Link: CVE-2026-23298

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:25.320

Modified: 2026-04-18T09:16:17.590

Link: CVE-2026-23298

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23298 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:50:08Z

Weaknesses