Bug 2454862 (CVE-2026-23472) - CVE-2026-23472 kernel: serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN
Summary: CVE-2026-23472 kernel: serial: core: fix infinite loop in handle_tx() for POR...
Keywords:
Status: NEW
Alias: CVE-2026-23472
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-03 16:04 UTC by OSIDB Bzimport
Modified: 2026-04-03 17:12 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-03 16:04:53 UTC 
In the Linux kernel, the following vulnerability has been resolved:

serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN

uart_write_room() and uart_write() behave inconsistently when
xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were
never properly initialized):

- uart_write_room() returns kfifo_avail() which can be > 0
- uart_write() checks xmit_buf and returns 0 if NULL

This inconsistency causes an infinite loop in drivers that rely on
tty_write_room() to determine if they can write:

  while (tty_write_room(tty) > 0) {
      written = tty->ops->write(...);
      // written is always 0, loop never exits
  }

For example, caif_serial's handle_tx() enters an infinite loop when
used with PORT_UNKNOWN serial ports, causing system hangs.

Fix by making uart_write_room() also check xmit_buf and return 0 if
it's NULL, consistent with uart_write().

Reproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13
Comment 1 Jon Moroney 2026-04-03 17:11:56 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026040322-CVE-2026-23472-c68c@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.