PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23472 Linux CVE debrief

A vulnerability in the Linux kernel's serial core subsystem could cause system hangs via infinite loops when drivers interact with improperly initialized serial ports. The issue stems from inconsistent behavior between uart_write_room() and uart_write() when the transmit buffer (xmit_buf) is NULL—a condition occurring with PORT_UNKNOWN ports that were never properly initialized. Specifically, uart_write_room() returns a positive value from kfifo_avail() indicating space available, while uart_write() returns 0 when xmit_buf is NULL. This mismatch causes drivers like caif_serial's handle_tx() to enter infinite loops: they check tty_write_room() > 0, attempt to write, receive 0 bytes written, and repeat indefinitely. The fix aligns both functions by having uart_write_room() also return 0 when xmit_buf is NULL. Affected versions span from Linux 2.6.12 through 6.18.x and 6.19.x before 6.19.10, plus 7.0 release candidates. The vulnerability requires local access and has been assigned a CVSS 3.1 score of 5.5 (MEDIUM).

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-26
Advisory published
2026-04-03
Advisory updated
2026-05-26

Who should care

Linux system administrators running kernels 2.6.12 through 6.18.x or 6.19.x before 6.19.10; embedded systems using caif_serial or custom serial drivers; telecommunications infrastructure using CAIF (Communication CPU to Application CPU Interface Framework) serial transport; kernel maintainers backporting fixes to long-term support branches

Technical summary

The vulnerability exists in drivers/tty/serial/serial_core.c where uart_write_room() and uart_write() handle NULL xmit_buf inconsistently. When a serial port has type PORT_UNKNOWN and was never initialized with a transmit buffer, uart_write_room() calls kfifo_avail() which may return > 0, while uart_write() checks xmit_buf and returns 0. Drivers implementing write loops based on tty_write_room()—such as caif_serial's handle_tx()—enter infinite loops: the room check passes, but the write returns 0, causing unbounded iteration. The fix adds a NULL check for xmit_buf in uart_write_room(), returning 0 to match uart_write() behavior. This is classified as CWE-835 (Loop with Unreachable Exit Condition). The attack vector is local, requiring ability to trigger serial port operations, with availability impact (system hang) but no confidentiality or integrity impact.

Defensive priority

medium

Recommended defensive actions

  • Apply the appropriate stable kernel patch from kernel.org for your kernel version branch
  • Upgrade to Linux kernel 6.18.20 or later, or 6.19.10 or later, or 7.0-rc5 or later
  • If running custom serial drivers that use tty_write_room() loops, verify they handle zero-byte write returns gracefully
  • Monitor systems using caif_serial or similar drivers for unexpected CPU consumption or hangs
  • Review serial port initialization to ensure PORT_UNKNOWN ports are properly configured before use

Evidence notes

The vulnerability description and patch references are sourced from the official NVD record. The issue was resolved by making uart_write_room() check xmit_buf and return 0 when NULL, consistent with uart_write() behavior. Three kernel.org stable patches are referenced. CPE criteria indicate affected versions from 2.6.12.1 through 6.18.20 (excluding), 6.19 through 6.19.10 (excluding), and 7.0 release candidates rc1-rc4. The CWE-835 classification (Loop with Unreachable Exit Condition) aligns with the infinite loop behavior described.

Official resources

2026-04-03