CVE-2026-23298
Description
In the Linux kernel, the following vulnerability has been resolved:
can: ucan: Fix infinite loop from zero-length messages
If a broken ucan device gets a message with the message length field set to 0, then the driver will loop for forever in ucan_read_bulk_callback(), hanging the system. If the length is 0, just skip the message and go on to the next one.
This has been fixed in the kvaser_usb driver in the past in commit 0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in command parsers"), so there must be some broken devices out there like this somewhere.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's ucan CAN driver, a zero-length message from a malicious device causes an infinite loop, leading to a system hang.
Vulnerability
Description
In the Linux kernel's ucan CAN driver (drivers/net/can/usb/ucan.c), the ucan_read_bulk_callback() function processes incoming USB messages from a CAN device. If a device sends a message with the length field set to 0, the driver enters an infinite loop because it does not validate the length before processing. This bug is analogous to a previously fixed issue in the kvaser_usb driver (commit 0c73772cd2b8), indicating that similar broken devices exist in the field [1][2][3][4].
Exploitation
Conditions
An attacker must have a USB CAN device that can send crafted messages with a zero-length field. This could be achieved through physical access to the USB port or by compromising a legitimate device to inject malicious packets. No authentication is required; the driver implicitly trusts the message length provided by the device. The vulnerability is triggered when the driver receives such a message in the bulk callback, causing an infinite loop that consumes CPU resources.
Impact
Successful exploitation results in a denial of service (DoS) by hanging the entire system. The infinite loop prevents the CPU from executing other tasks, effectively freezing the machine. This can lead to loss of availability for any services running on the affected system.
Mitigation
The fix has been applied to the Linux kernel stable tree via commits [1][2][3][4]. Users should update to a kernel version that includes these commits. No workaround is documented; the driver must be patched to skip zero-length messages.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/13b646eec3ba1131180803f5aaf1fee23540ad8fnvd
- git.kernel.org/stable/c/1e446fd0582ad8be9f6dafb115fc2e7245f9bea7nvd
- git.kernel.org/stable/c/aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588nvd
- git.kernel.org/stable/c/ab6f075492d37368b4c7b0df7f7fdc2b666887fcnvd
- git.kernel.org/stable/c/bd85f21a6219aeae4389d700c54f1799f4b814e0nvd
- git.kernel.org/stable/c/c7bc62be6c1a60bb21301692009590b1ffda91d9nvd
- git.kernel.org/stable/c/ca07d3c6eef14d34e6fdeefe55058db045be29dcnvd
- git.kernel.org/stable/c/e7bb6e0606b5f233531aaaad9542d69fbb792115nvd
News mentions
0No linked articles in our index yet.