CVE-2026-23472

MEDIUM

serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN uart_write_room() and uart_write() behave inconsistently when xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were never properly initialized): - uart_write_room() returns kfifo_avail() which can be > 0 - uart_write() checks xmit_buf and returns 0 if NULL This inconsistency causes an infinite loop in drivers that rely on tty_write_room() to determine if they can write: while (tty_write_room(tty) > 0) { written = tty->ops->write(...); // written is always 0, loop never exits } For example, caif_serial's handle_tx() enters an infinite loop when used with PORT_UNKNOWN serial ports, causing system hangs. Fix by making uart_write_room() also check xmit_buf and return 0 if it's NULL, consistent with uart_write(). Reproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13

Scores

CVSS v3 5.5
EPSS 0.0012
EPSS Percentile 2.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-835
Status published
Products (14)
linux/Kernel 2.6.12 - 6.18.20linux
linux/Kernel 6.19.0 - 6.19.10linux
Linux/Linux < 2.6.12
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 455ce986fa356ff43a43c0d363ba95fa152f21d5
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - bc70f2b36cf474d5cc8ecbcaf57f3e326fdec67c
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - efe85a557186b7fe915572ae93a8f3f78bfd9a22
Linux/Linux 2.6.12
Linux/Linux 6.18.20 - 6.18.*
Linux/Linux 6.19.10 - 6.19.*
Linux/Linux 7.0
... and 4 more
Published Apr 03, 2026
Tracked Since Apr 03, 2026