Description
In the Linux kernel, the following vulnerability has been resolved:

serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN

uart_write_room() and uart_write() behave inconsistently when
xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were
never properly initialized):

- uart_write_room() returns kfifo_avail() which can be > 0
- uart_write() checks xmit_buf and returns 0 if NULL

This inconsistency causes an infinite loop in drivers that rely on
tty_write_room() to determine if they can write:

while (tty_write_room(tty) > 0) {
written = tty->ops->write(...);
// written is always 0, loop never exits
}

For example, caif_serial's handle_tx() enters an infinite loop when
used with PORT_UNKNOWN serial ports, causing system hangs.

Fix by making uart_write_room() also check xmit_buf and return 0 if
it's NULL, consistent with uart_write().

Reproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13
Published: 2026-04-03
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

An inconsistency between the serial core functions uart_write_room() and uart_write() in the Linux kernel creates an infinite loop when a PORT_UNKNOWN serial port has an uninitialized transmit buffer. Drivers that rely on tty_write_room() to decide whether space is available for writing will repeatedly call write, receive zero bytes, and remain in the loop, causing the system to hang. This constitutes a denial‑of‑service condition triggered by misinitialized serial ports.

Affected Systems

Any Linux kernel build that contains the buggy serial core code before the fix is affected. The vendors listed are Linux:Linux, which covers all standard Linux kernels. Specific affected kernel versions are not enumerated in the advisory, so any kernel prior to the commit that introduced the patch is potentially vulnerable.

Risk and Exploitability

The advisory does not provide CVSS or EPSS scores, and the vulnerability is not in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the bug could be exploited by an entity with the ability to load or configure a driver that opens a PORT_UNKNOWN serial port, leading to a system hang. The lack of explicit exploitation details limits the assessment, but the potential for widespread denial of service remains for affected systems.

Generated by OpenCVE AI on April 3, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the serial write bug fix
  • Rebuild the kernel from a source tree that contains the corrected commit if an official update is unavailable
  • Disable or properly initialize any unused or unconfigured serial ports to avoid triggering the buggy code path

Generated by OpenCVE AI on April 3, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-474
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-617

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN uart_write_room() and uart_write() behave inconsistently when xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were never properly initialized): - uart_write_room() returns kfifo_avail() which can be > 0 - uart_write() checks xmit_buf and returns 0 if NULL This inconsistency causes an infinite loop in drivers that rely on tty_write_room() to determine if they can write: while (tty_write_room(tty) > 0) { written = tty->ops->write(...); // written is always 0, loop never exits } For example, caif_serial's handle_tx() enters an infinite loop when used with PORT_UNKNOWN serial ports, causing system hangs. Fix by making uart_write_room() also check xmit_buf and return 0 if it's NULL, consistent with uart_write(). Reproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13
Title serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T15:15:51.209Z

Reserved: 2026-01-13T15:37:46.022Z

Link: CVE-2026-23472

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:34.977

Modified: 2026-04-03T16:16:34.977

Link: CVE-2026-23472

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23472 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:41Z

Weaknesses