{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23472", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.022Z", "datePublished": "2026-04-03T15:15:51.209Z", "dateUpdated": "2026-05-11T22:07:41.736Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:07:41.736Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN\n\nuart_write_room() and uart_write() behave inconsistently when\nxmit_buf is NULL (which happens for PORT_UNKNOWN ports that were\nnever properly initialized):\n\n- uart_write_room() returns kfifo_avail() which can be > 0\n- uart_write() checks xmit_buf and returns 0 if NULL\n\nThis inconsistency causes an infinite loop in drivers that rely on\ntty_write_room() to determine if they can write:\n\n while (tty_write_room(tty) > 0) {\n written = tty->ops->write(...);\n // written is always 0, loop never exits\n }\n\nFor example, caif_serial's handle_tx() enters an infinite loop when\nused with PORT_UNKNOWN serial ports, causing system hangs.\n\nFix by making uart_write_room() also check xmit_buf and return 0 if\nit's NULL, consistent with uart_write().\n\nReproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/tty/serial/serial_core.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "efe85a557186b7fe915572ae93a8f3f78bfd9a22", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "bc70f2b36cf474d5cc8ecbcaf57f3e326fdec67c", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "455ce986fa356ff43a43c0d363ba95fa152f21d5", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/tty/serial/serial_core.c"], "versions": [{"version": "2.6.12", "status": "affected"}, {"version": "0", "lessThan": "2.6.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/efe85a557186b7fe915572ae93a8f3f78bfd9a22"}, {"url": "https://git.kernel.org/stable/c/bc70f2b36cf474d5cc8ecbcaf57f3e326fdec67c"}, {"url": "https://git.kernel.org/stable/c/455ce986fa356ff43a43c0d363ba95fa152f21d5"}], "title": "serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN\n\nuart_write_room() and uart_write() behave inconsistently when\nxmit_buf is NULL (which happens for PORT_UNKNOWN ports that were\nnever properly initialized):\n\n- uart_write_room() returns kfifo_avail() which can be > 0\n- uart_write() checks xmit_buf and returns 0 if NULL\n\nThis inconsistency causes an infinite loop in drivers that rely on\ntty_write_room() to determine if they can write:\n\n while (tty_write_room(tty) > 0) {\n written = tty->ops->write(...);\n // written is always 0, loop never exits\n }\n\nFor example, caif_serial's handle_tx() enters an infinite loop when\nused with PORT_UNKNOWN serial ports, causing system hangs.\n\nFix by making uart_write_room() also check xmit_buf and return 0 if\nit's NULL, consistent with uart_write().\n\nReproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13"}], "id": "CVE-2026-23472", "lastModified": "2026-04-07T13:20:55.200", "metrics": {}, "published": "2026-04-03T16:16:34.977", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/455ce986fa356ff43a43c0d363ba95fa152f21d5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bc70f2b36cf474d5cc8ecbcaf57f3e326fdec67c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/efe85a557186b7fe915572ae93a8f3f78bfd9a22"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN", "id": "2454862", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454862"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-474", "details": ["A flaw was found in the Linux kernel's serial core component. An inconsistency between the `uart_write_room()` and `uart_write()` functions, specifically when handling `PORT_UNKNOWN` serial ports with a NULL transmit buffer, can lead to an infinite loop. This allows a local user or process to trigger a system hang, resulting in a Denial of Service (DoS)."], "name": "CVE-2026-23472", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23472\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23472\nhttps://lore.kernel.org/linux-cve-announce/2026040322-CVE-2026-23472-c68c@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,efe85a557186b7fe915572ae93a8f3f78bfd9a22)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,bc70f2b36cf474d5cc8ecbcaf57f3e326fdec67c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,455ce986fa356ff43a43c0d363ba95fa152f21d5)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-07T09:43:32.426616+00:00", "value": {"mitigation_remediation": ["Apply the upstream kernel patch from commit 455ce986fa356ff43a43c0d363ba95fa152f21d5 (or any newer stable release that contains the fix).", "Reboot the system after updating the kernel to ensure the patch takes effect.", "Verify that serial devices no longer report non\u2011zero write room with an uninitialized transmit buffer by testing with caif_serial or other PORT_UNKNOWN drivers.", "As a temporary precaution, avoid creating or using serial ports that are marked PORT_UNKNOWN until the kernel has been upgraded."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel implementations that include the affected serial core code are impacted. This includes every kernel distribution that has not yet incorporated the patch that synchronizes uart_write_room() with uart_write(). Because the vulnerability is in the kernel itself, any system running an affected kernel is susceptible, regardless of host hardware or distribution vendor. Specific affected versions are not enumerated in the advisory, so systems should verify whether their current kernel source contains the commit that restores consistent behavior.", "description_and_impact": "The vulnerability arises from an inconsistency between the functions uart_write_room() and uart_write() in the Linux kernel serial subsystem. When a serial port is marked as PORT_UNKNOWN and its transmit buffer has never been initialized, uart_write_room() incorrectly reports available space while uart_write() returns zero. Drivers that rely on tty_write_room() to determine write capacity enter an infinite loop, repeatedly invoking write operations with no progress. The loop prevents the driver from terminating and can lead the entire system to hang or become unresponsive, resulting in a denial of service.", "risk_and_exploitability": "The advisory rates the issue with a CVSS score of 5.5, indicating a moderate level of severity. The exploit prediction score is less than 1% and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting it has not been reported as widely exploited. An attacker would need local or high\u2011privilege access to interfere with a serial device that has not been properly initialized. Because the flaw manifests only when a driver calls tty_write_room() in a loop, remote exploitation is unlikely without additional local foothold. For most environments, the primary risk is an accidental misconfiguration of serial devices rather than deliberate attack."}}}}, "created": "2026-04-03T21:13:26.987791+00:00", "updated": "2026-04-08T19:53:38.429701+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}