{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23298", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:26:54.830Z", "dateUpdated": "2026-03-25T10:26:54.830Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:26:54.830Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ucan: Fix infinite loop from zero-length messages\n\nIf a broken ucan device gets a message with the message length field set\nto 0, then the driver will loop for forever in\nucan_read_bulk_callback(), hanging the system. If the length is 0, just\nskip the message and go on to the next one.\n\nThis has been fixed in the kvaser_usb driver in the past in commit\n0c73772cd2b8 (\"can: kvaser_usb: leaf: Fix potential infinite loop in\ncommand parsers\"), so there must be some broken devices out there like\nthis somewhere."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/ucan.c"], "versions": [{"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9", "lessThan": "ab6f075492d37368b4c7b0df7f7fdc2b666887fc", "status": "affected", "versionType": "git"}, {"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9", "lessThan": "13b646eec3ba1131180803f5aaf1fee23540ad8f", "status": "affected", "versionType": "git"}, {"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9", "lessThan": "bd85f21a6219aeae4389d700c54f1799f4b814e0", "status": "affected", "versionType": "git"}, {"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9", "lessThan": "aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588", "status": "affected", "versionType": "git"}, {"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9", "lessThan": "c7bc62be6c1a60bb21301692009590b1ffda91d9", "status": "affected", "versionType": "git"}, {"version": "9f2d3eae88d26c29d96e42983b755940d9169cd9", "lessThan": "1e446fd0582ad8be9f6dafb115fc2e7245f9bea7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/ucan.c"], "versions": [{"version": "4.19", "status": "affected"}, {"version": "0", "lessThan": "4.19", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ab6f075492d37368b4c7b0df7f7fdc2b666887fc"}, {"url": "https://git.kernel.org/stable/c/13b646eec3ba1131180803f5aaf1fee23540ad8f"}, {"url": "https://git.kernel.org/stable/c/bd85f21a6219aeae4389d700c54f1799f4b814e0"}, {"url": "https://git.kernel.org/stable/c/aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588"}, {"url": "https://git.kernel.org/stable/c/c7bc62be6c1a60bb21301692009590b1ffda91d9"}, {"url": "https://git.kernel.org/stable/c/1e446fd0582ad8be9f6dafb115fc2e7245f9bea7"}], "title": "can: ucan: Fix infinite loop from zero-length messages", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ucan: Fix infinite loop from zero-length messages\n\nIf a broken ucan device gets a message with the message length field set\nto 0, then the driver will loop for forever in\nucan_read_bulk_callback(), hanging the system. If the length is 0, just\nskip the message and go on to the next one.\n\nThis has been fixed in the kvaser_usb driver in the past in commit\n0c73772cd2b8 (\"can: kvaser_usb: leaf: Fix potential infinite loop in\ncommand parsers\"), so there must be some broken devices out there like\nthis somewhere."}], "id": "CVE-2026-23298", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:25.320", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/13b646eec3ba1131180803f5aaf1fee23540ad8f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1e446fd0582ad8be9f6dafb115fc2e7245f9bea7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ab6f075492d37368b4c7b0df7f7fdc2b666887fc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bd85f21a6219aeae4389d700c54f1799f4b814e0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c7bc62be6c1a60bb21301692009590b1ffda91d9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: can: ucan: Fix infinite loop from zero-length messages", "id": "2451227", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451227"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-606", "details": ["A flaw was found in the Linux kernel's CAN (Controller Area Network) ucan driver. This vulnerability allows a connected ucan device to send a message with a zero-length field. Such a message can trigger an infinite loop within the driver, causing the system to hang. This ultimately leads to a denial of service (DoS), making the system unresponsive."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent the ucan module from being loaded. See https://access.redhat.com/solutions/41278 for instructions."}, "name": "CVE-2026-23298", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23298\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23298\nhttps://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23298-fad9@gregkh/T"], "statement": "This flaw affects systems with ucan USB-CAN adapters. A malicious or broken device can send zero-length messages that cause the driver to enter an infinite loop in ucan_read_bulk_callback(), hanging the system. Physical access to connect the USB device is required. Similar issues have been fixed in other CAN USB drivers (kvaser_usb).", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9f2d3eae88d26c29d96e42983b755940d9169cd9,ab6f075492d37368b4c7b0df7f7fdc2b666887fc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9f2d3eae88d26c29d96e42983b755940d9169cd9,13b646eec3ba1131180803f5aaf1fee23540ad8f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9f2d3eae88d26c29d96e42983b755940d9169cd9,bd85f21a6219aeae4389d700c54f1799f4b814e0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9f2d3eae88d26c29d96e42983b755940d9169cd9,aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9f2d3eae88d26c29d96e42983b755940d9169cd9,c7bc62be6c1a60bb21301692009590b1ffda91d9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9f2d3eae88d26c29d96e42983b755940d9169cd9,1e446fd0582ad8be9f6dafb115fc2e7245f9bea7)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.19"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,4.19)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T02:27:56.146245+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the ucan driver fix.", "If an immediate kernel update is not possible, disconnect or disable the problematic ucan device to prevent further attack attempts.", "Ensure that no legislation or code modules permit the transmission of zero\u2011length messages from attached CAN bus devices."], "summary": {"action": "Patch Kernel", "impact": "Denial of Service via infinite loop"}, "threat_synthesis": {"affected_systems": "All users of the Linux kernel whose ucan driver has not yet been updated to include the recent fix are affected. The vulnerability does not depend on vendor, but applies to any Linux distribution running an unpatched kernel that supports ucan CAN bus devices.", "description_and_impact": "The Linux kernel ucan driver can enter an infinite loop when processing a message with a zero\u2011length field. When a broken ucan device sends such a message, the driver\u2019s read callback never exits, effectively hanging the system and preventing normal operation until a reboot or manual intervention.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity, and an EPSS score below 1\u202f% shows a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to have access to a broken ucan device capable of sending a zero\u2011length message, which could occur if the device is connected locally or compromised. Successful exploitation results in a denial of service by locking the system in an endless loop."}}}}, "created": "2026-03-25T21:15:32.339376+00:00", "updated": "2026-03-26T12:16:58.360787+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}