{ "threat_severity" : "Moderate", "public_date" : "2026-03-25T00:00:00Z", "bugzilla" : { "description" : "kernel: can: ucan: Fix infinite loop from zero-length messages", "id" : "2451227", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451227" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-606", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ncan: ucan: Fix infinite loop from zero-length messages\nIf a broken ucan device gets a message with the message length field set\nto 0, then the driver will loop for forever in\nucan_read_bulk_callback(), hanging the system. If the length is 0, just\nskip the message and go on to the next one.\nThis has been fixed in the kvaser_usb driver in the past in commit\n0c73772cd2b8 (\"can: kvaser_usb: leaf: Fix potential infinite loop in\ncommand parsers\"), so there must be some broken devices out there like\nthis somewhere.", "A flaw was found in the Linux kernel's CAN (Controller Area Network) ucan driver. This vulnerability allows a connected ucan device to send a message with a zero-length field. Such a message can trigger an infinite loop within the driver, causing the system to hang. This ultimately leads to a denial of service (DoS), making the system unresponsive." ], "statement" : "This flaw affects systems with ucan USB-CAN adapters. A malicious or broken device can send zero-length messages that cause the driver to enter an infinite loop in ucan_read_bulk_callback(), hanging the system. Physical access to connect the USB device is required. Similar issues have been fixed in other CAN USB drivers (kvaser_usb).", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23298\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23298\nhttps://lore.kernel.org/linux-cve-announce/2026032526-CVE-2026-23298-fad9@gregkh/T" ], "name" : "CVE-2026-23298", "mitigation" : { "value" : "To mitigate this issue, prevent the ucan module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.", "lang" : "en:us" }, "csaw" : false }