VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 3, 2026· Updated Apr 7, 2026

CVE-2026-23472

CVE-2026-23472

Description

In the Linux kernel, the following vulnerability has been resolved:

serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN

uart_write_room() and uart_write() behave inconsistently when xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were never properly initialized):

  • uart_write_room() returns kfifo_avail() which can be > 0
  • uart_write() checks xmit_buf and returns 0 if NULL

This inconsistency causes an infinite loop in drivers that rely on tty_write_room() to determine if they can write:

while (tty_write_room(tty) > 0) { written = tty->ops->write(...); // written is always 0, loop never exits }

For example, caif_serial's handle_tx() enters an infinite loop when used with PORT_UNKNOWN serial ports, causing system hangs.

Fix by making uart_write_room() also check xmit_buf and return 0 if it's NULL, consistent with uart_write().

Reproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, inconsistent behavior between uart_write_room() and uart_write() when xmit_buf is NULL causes an infinite loop in drivers (e.g., caif_serial) for PORT_UNKNOWN ports, leading to system hangs.

Vulnerability

The Linux kernel's serial core contains an inconsistency between uart_write_room() and uart_write() when the transmit buffer (xmit_buf) is NULL. This occurs for PORT_UNKNOWN serial ports that were never properly initialized. The function uart_write_room() returns kfifo_avail(), which can be greater than zero even when xmit_buf is NULL, while uart_write() checks for xmit_buf and returns 0 if it is NULL [1].

Exploitation

A driver (such as caif_serial) that relies on tty_write_room() to determine write availability can enter an infinite loop: it repeatedly calls tty_write_room(), which returns a positive value, and then calls tty->ops->write(), which always returns 0 because uart_write() returns early due to the missing buffer. This loop never exits, causing a system hang [2]. The attack surface is limited to configurations where a PORT_UNKNOWN serial port is used, and no authentication is required for an attacker to trigger this if they can force such a port to be active.

Impact

The vulnerability results in a denial of service (system hang) on systems using affected drivers with uninitialized serial ports. The impact is local but can be triggered without privileges if an attacker can cause the vulnerable code path to be executed.

Mitigation

The fix has been merged into the Linux kernel stable tree [3]. Users should apply the kernel update that includes the commit making uart_write_room() also check xmit_buf and return 0 if it is NULL, consistent with uart_write(). No workaround is available for unpatched kernels.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.