{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23298", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:26:54.830Z", "dateUpdated": "2026-03-25T10:26:54.830Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:26:54.830Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ucan: Fix infinite loop from zero-length messages\n\nIf a broken ucan device gets a message with the message length field set\nto 0, then the driver will loop for forever in\nucan_read_bulk_callback(), hanging the system. If the length is 0, just\nskip the message and go on to the next one.\n\nThis has been fixed in the kvaser_usb driver in the past in commit\n0c73772cd2b8 (\"can: kvaser_usb: leaf: Fix potential infinite loop in\ncommand parsers\"), so there must be some broken devices out there like\nthis somewhere."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/ucan.c"], "versions": [{"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9", "lessThan": "ab6f075492d37368b4c7b0df7f7fdc2b666887fc", "status": "affected", "versionType": "git"}, {"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9", "lessThan": "13b646eec3ba1131180803f5aaf1fee23540ad8f", "status": "affected", "versionType": "git"}, {"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9", "lessThan": "bd85f21a6219aeae4389d700c54f1799f4b814e0", "status": "affected", "versionType": "git"}, {"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9", "lessThan": "aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588", "status": "affected", "versionType": "git"}, {"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9", "lessThan": "c7bc62be6c1a60bb21301692009590b1ffda91d9", "status": "affected", "versionType": "git"}, {"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9", "lessThan": "1e446fd0582ad8be9f6dafb115fc2e7245f9bea7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/ucan.c"], "versions": [{"version": "4.19", "status": "affected"}, {"version": "0", "lessThan": "4.19", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ab6f075492d37368b4c7b0df7f7fdc2b666887fc"}, {"url": "https://git.kernel.org/stable/c/13b646eec3ba1131180803f5aaf1fee23540ad8f"}, {"url": "https://git.kernel.org/stable/c/bd85f21a6219aeae4389d700c54f1799f4b814e0"}, {"url": "https://git.kernel.org/stable/c/aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588"}, {"url": "https://git.kernel.org/stable/c/c7bc62be6c1a60bb21301692009590b1ffda91d9"}, {"url": "https://git.kernel.org/stable/c/1e446fd0582ad8be9f6dafb115fc2e7245f9bea7"}], "title": "can: ucan: Fix infinite loop from zero-length messages", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ucan: Fix infinite loop from zero-length messages\n\nIf a broken ucan device gets a message with the message length field set\nto 0, then the driver will loop for forever in\nucan_read_bulk_callback(), hanging the system. If the length is 0, just\nskip the message and go on to the next one.\n\nThis has been fixed in the kvaser_usb driver in the past in commit\n0c73772cd2b8 (\"can: kvaser_usb: leaf: Fix potential infinite loop in\ncommand parsers\"), so there must be some broken devices out there like\nthis somewhere."}], "id": "CVE-2026-23298", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:25.320", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/13b646eec3ba1131180803f5aaf1fee23540ad8f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1e446fd0582ad8be9f6dafb115fc2e7245f9bea7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ab6f075492d37368b4c7b0df7f7fdc2b666887fc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bd85f21a6219aeae4389d700c54f1799f4b814e0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c7bc62be6c1a60bb21301692009590b1ffda91d9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: can: ucan: Fix infinite loop from zero-length messages", "id": "2451227", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451227"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-606", "details": ["A flaw was found in the Linux kernel's CAN (Controller Area Network) ucan driver. This vulnerability allows a connected ucan device to send a message with a zero-length field. Such a message can trigger an infinite loop within the driver, causing the system to hang. This ultimately leads to a denial of service (DoS), making the system unresponsive."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent the ucan module from being loaded. See https://access.redhat.com/solutions/41278 for instructions."}, "name": "CVE-2026-23298", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23298\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23298\nhttps://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23298-fad9@gregkh/T"], "statement": "This flaw affects systems with ucan USB-CAN adapters. A malicious or broken device can send zero-length messages that cause the driver to enter an infinite loop in ucan_read_bulk_callback(), hanging the system. Physical access to connect the USB device is required. Similar issues have been fixed in other CAN USB drivers (kvaser_usb).", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T11:23:03.344421+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the patch fixing the infinite loop (apply commit 0c73772cd2b8 or newer).", "If an upgrade is not immediately possible, disable or remove the kvaser_usb module until patched.", "Verify that CAN devices in use are not configured to send zero\u2011length frames; use firmware or driver updates that enforce message length validation.", "Monitor the system for hangs or high CPU usage from the ucan driver, and employ watchdog or reboot policies to recover from a potential lockup.", "Keep firmware of CAN hardware up to date to prevent sending malformed frames."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Linux kernel\u2019s ucan driver, which is used by devices such as kvaser_usb CAN interface cards. Any system running Linux with the ucan / kvaser_usb driver enabled and connected to a CAN bus that may transmit zero\u2011length frames is susceptible. The exact kernel versions are not listed, but the commit that fixed the infinite loop in the kvaser_usb driver (0c73772cd2b8) was applied earlier, so kernel builds that predate or omit that patch are affected.", "description_and_impact": "In the Linux kernel a broken ucan device that receives a CAN message with a length field set to zero causes the driver to enter an infinite loop, permanently hanging the system. This results in a denial\u2011of\u2011service condition, as no further kernel activity can proceed while the callback remains blocked. The weakness is due to unvalidated input in the ucan_read_bulk_callback function, which fails to skip or reject zero\u2011length messages.", "risk_and_exploitability": "The CVSS score is not provided, and EPSS is unavailable, but the vulnerability is a classic denial\u2011of\u2011service flaw that can be triggered by a malicious or misconfigured CAN device on the bus. Since the bug is exercised through normal CAN traffic, an attacker with access to the bus can repeatedly send zero\u2011length frames to crash the device, causing system stalls. The issue is not listed in CISA\u2019s KEV catalog, so there is no public evidence of widespread exploitation yet, however the risk remains high for environments with exposed CAN interfaces."}}}}, "created": "2026-03-25T21:15:32.339376+00:00", "updated": "2026-03-25T21:15:32.339417+00:00", "vendors": [], "weaknesses": ["CWE-400"]}