CVE-2025-68308
Description
In the Linux kernel, the following vulnerability has been resolved:
can: kvaser_usb: leaf: Fix potential infinite loop in command parsers
The kvaser_usb_leaf_wait_cmd() and kvaser_usb_leaf_read_bulk_callback functions contain logic to zero-length commands. These commands are used to align data to the USB endpoint's wMaxPacketSize boundary.
The driver attempts to skip these placeholders by aligning the buffer position pos to the next packet boundary using round_up() function.
However, if zero-length command is found exactly on a packet boundary (i.e., pos is a multiple of wMaxPacketSize, including 0), round_up function will return the unchanged value of pos. This prevents pos to be increased, causing an infinite loop in the parsing logic.
This patch fixes this in the function by using pos + 1 instead. This ensures that even if pos is on a boundary, the calculation is based on pos + 1, forcing round_up() to always return the next aligned boundary.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's kvaser_usb driver, a boundary condition in command parsing can cause an infinite loop, leading to a denial of service.
In the Linux kernel's kvaser_usb leaf driver, functions kvaser_usb_leaf_wait_cmd() and kvaser_usb_leaf_read_bulk_callback handle zero-length commands used for alignment to the USB endpoint's wMaxPacketSize boundary. The driver attempts to skip these placeholders by aligning position pos using round_up(). However, if a zero-length command is exactly on a packet boundary, round_up returns the same value, preventing progression and causing an infinite loop [1][2].
Exploitation requires an attacker to be able to send crafted USB packets to a system using the vulnerable driver. This could be achieved by plugging in a malicious USB device or via a compromised USB hub. No authentication is needed, as the driver processes packets from any connected device. The infinite loop occurs in kernel context, effectively hanging the parsing routine.
The impact is a denial of service. The infinite loop consumes CPU resources and prevents further processing of CAN commands, potentially freezing the CAN interface or the entire system if the loop ties up critical kernel threads.
The fix, as committed in [1] and [2], addresses the issue by using pos + 1 in the round_up calculation to ensure the position always advances to the next boundary. The patched versions are available as part of Linux kernel updates. Users should apply the latest stable kernel updates to mitigate.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/028e89c7e8b4346302e88df01cc50e0a1f05791anvd
- git.kernel.org/stable/c/0897cea266e39166a36111059ba147192b36592fnvd
- git.kernel.org/stable/c/0c73772cd2b8cc108d5f5334de89ad648d89b9ecnvd
- git.kernel.org/stable/c/58343e0a4d43699f0e2f5b169384bbe4c0217addnvd
- git.kernel.org/stable/c/69c7825df64e24dc15d31631a1fc9145324b1345nvd
- git.kernel.org/stable/c/bd8135a560cf6e64f0b98ed4daadf126a38f7f48nvd
- git.kernel.org/stable/c/e9dd83a75a7274edef21682c823bf0b66d7b6b7fnvd
News mentions
0No linked articles in our index yet.