CVE-2026-23298

If a broken ucan device gets a message with the message length field set to 0, then the driver will loop for forever in ucanreadbulk_callback(), hanging the system. If the length is 0, just skip the message and go on to the next one.

This has been fixed in the kvaserusb driver in the past in commit 0c73772cd2b8 ("can: kvaserusb: leaf: Fix potential infinite loop in command parsers"), so there must be some broken devices out there like this somewhere.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23298.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9f2d3eae88d26c29d96e42983b755940d9169cd9

Fixed

ab6f075492d37368b4c7b0df7f7fdc2b666887fc

Fixed

13b646eec3ba1131180803f5aaf1fee23540ad8f

Fixed

bd85f21a6219aeae4389d700c54f1799f4b814e0

Fixed

aa9e0a7fe5efc2f74327fd37d828e9a51d9ff588

Fixed

c7bc62be6c1a60bb21301692009590b1ffda91d9

Fixed

1e446fd0582ad8be9f6dafb115fc2e7245f9bea7

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23298.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.19.0

Fixed

6.1.167

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.130

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.77

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.17

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.7

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23298.json"