CVE-2026-23298 - Vulnerability Details

- can: ucan: Fix infinite loop from zero-length messages

Description

In the Linux kernel, the following vulnerability has been resolved:

can: ucan: Fix infinite loop from zero-length messages

If a broken ucan device gets a message with the message length field set
to 0, then the driver will loop for forever in
ucan_read_bulk_callback(), hanging the system. If the length is 0, just
skip the message and go on to the next one.

This has been fixed in the kvaser_usb driver in the past in commit
0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in
command parsers"), so there must be some broken devices out there like
this somewhere.

Published: 2026-03-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

When a CAN device sends a message whose length field is zero, the Linux kernel’s ucan driver enters an infinite loop in ucan_read_bulk_callback(), causing the driver to spin forever and potentially hang the system. The flaw is due to insufficient validation of the message length, classifying it under CWE‑606, and because it can lead to an infinite loop (CWE‑835).

Affected Systems

The vulnerability affects Linux systems that load the ucan module for USB CAN devices, especially those employing the kvaser_usb driver. Any kernel version released prior to the commit that introduced the fix is susceptible when a faulty or malicious CAN device is connected.

Risk and Exploitability

The CVSS base score of 5.5 indicates moderate severity, while an EPSS score below 1% signals a low chance of exploitation in the wild. The likely attack vector is local, inferred from the fact that an attacker would need to plug a compromised or intentionally malformed CAN USB device into the system; it is not remotely reachable and is not listed in CISA’s KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`9f2d3eae88d26c29d96e42983b755940d9169cd9`	affected	< ca07d3c6eef14d34e6fdeefe55058db045be29dc
`9f2d3eae88d26c29d96e42983b755940d9169cd9`	affected	< e7bb6e0606b5f233531aaaad9542d69fbb792115
`9f2d3eae88d26c29d96e42983b755940d9169cd9`	affected	< ab6f075492d37368b4c7b0df7f7fdc2b666887fc
`9f2d3eae88d26c29d96e42983b755940d9169cd9`	affected	< 13b646eec3ba1131180803f5aaf1fee23540ad8f
`9f2d3eae88d26c29d96e42983b755940d9169cd9`	affected	< bd85f21a6219aeae4389d700c54f1799f4b814e0
`9f2d3eae88d26c29d96e42983b755940d9169cd9`	affected	< aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588
`9f2d3eae88d26c29d96e42983b755940d9169cd9`	affected	< c7bc62be6c1a60bb21301692009590b1ffda91d9
`9f2d3eae88d26c29d96e42983b755940d9169cd9`	affected	< 1e446fd0582ad8be9f6dafb115fc2e7245f9bea7

Linux

affected

Version	Status	Constraints
`4.19`	affected	—
`0`	unaffected	< 4.19
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.77`	unaffected	≤ 6.12.*
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[9f2d3eae88d26c29d96e42983b755940d9169cd9,ab6f075492d37368b4c7b0df7f7fdc2b666887fc)`	affected	code_commit	—
`[9f2d3eae88d26c29d96e42983b755940d9169cd9,13b646eec3ba1131180803f5aaf1fee23540ad8f)`	affected	code_commit	—
`[9f2d3eae88d26c29d96e42983b755940d9169cd9,bd85f21a6219aeae4389d700c54f1799f4b814e0)`	affected	code_commit	—
`[9f2d3eae88d26c29d96e42983b755940d9169cd9,aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588)`	affected	code_commit	—
`[9f2d3eae88d26c29d96e42983b755940d9169cd9,c7bc62be6c1a60bb21301692009590b1ffda91d9)`	affected	code_commit	—
`[9f2d3eae88d26c29d96e42983b755940d9169cd9,1e446fd0582ad8be9f6dafb115fc2e7245f9bea7)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.19`	affected	generic	—
`[0,4.19)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.77,6.13.0)`	unaffected	semver	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a release that includes the ucan infinite‑loop fix.
If the ucan driver is not required, disable or blacklist the module to remove the attack surface.
Ensure that any attached CAN USB devices are authenticated and have not been tampered with before connecting to the system.
Refrain from allowing unknown USB hardware that can provide CAN traffic to connect to the system.

Generated by OpenCVE AI on May 29, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DLA	DLA-4606-1	linux security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/13b646eec3ba1131180803f5aaf1fee23540ad8f
https://git.kernel.org/stable/c/1e446fd0582ad8be9f6dafb115fc2e7245f9bea7
https://git.kernel.org/stable/c/aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588
https://git.kernel.org/stable/c/ab6f075492d37368b4c7b0df7f7fdc2b666887fc
https://git.kernel.org/stable/c/bd85f21a6219aeae4389d700c54f1799f4b814e0
https://git.kernel.org/stable/c/c7bc62be6c1a60bb21301692009590b1ffda91d9
https://git.kernel.org/stable/c/ca07d3c6eef14d34e6fdeefe55058db045be29dc
https://git.kernel.org/stable/c/e7bb6e0606b5f233531aaaad9542d69fbb792115
https://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23298-fad9@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23298
https://www.cve.org/CVERecord?id=CVE-2026-23298

History

Fri, 29 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-835
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/ca07d3c6eef14d34e6fdeefe55058db045be29dc https://git.kernel.org/stable/c/e7bb6e0606b5f233531aaaad9542d69fbb792115

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-400

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-606
References		https://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23298-fad9@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23298 https://www.cve.org/CVERecord?id=CVE-2026-23298
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: can: ucan: Fix infinite loop from zero-length messages If a broken ucan device gets a message with the message length field set to 0, then the driver will loop for forever in ucan_read_bulk_callback(), hanging the system. If the length is 0, just skip the message and go on to the next one. This has been fixed in the kvaser_usb driver in the past in commit 0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in command parsers"), so there must be some broken devices out there like this somewhere.
Title		can: ucan: Fix infinite loop from zero-length messages
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/13b646eec3ba1131180803f5aaf1fee23540ad8f https://git.kernel.org/stable/c/1e446fd0582ad8be9f6dafb115fc2e7245f9bea7 https://git.kernel.org/stable/c/aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588 https://git.kernel.org/stable/c/ab6f075492d37368b4c7b0df7f7fdc2b666887fc https://git.kernel.org/stable/c/bd85f21a6219aeae4389d700c54f1799f4b814e0 https://git.kernel.org/stable/c/c7bc62be6c1a60bb21301692009590b1ffda91d9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:26:54.830Z

Updated: 2026-05-11T22:04:10.668Z

Reserved: 2026-01-13T15:37:45.993Z

Link: CVE-2026-23298

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-03-25T11:16:25.320

Modified: 2026-05-29T14:27:13.180

Link: CVE-2026-23298

Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23298 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T16:45:03Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object