CVE-2026-23472 Overview
A denial of service vulnerability exists in the Linux kernel's serial core subsystem due to an inconsistency between uart_write_room() and uart_write() functions when handling PORT_UNKNOWN serial ports. This logic flaw causes drivers relying on tty_write_room() to enter an infinite loop, leading to system hangs.
Critical Impact
This vulnerability can cause complete system hangs when uninitialized serial ports (PORT_UNKNOWN) are accessed, resulting in denial of service conditions that require a hard reboot to recover.
Affected Products
- Linux Kernel (serial core subsystem)
- Systems using caif_serial driver with PORT_UNKNOWN ports
- Linux systems with improperly initialized serial ports
Discovery Timeline
- 2026-04-03 - CVE-2026-23472 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-23472
Vulnerability Analysis
The vulnerability stems from a behavioral inconsistency in the Linux kernel's serial core when handling uninitialized serial ports. When a serial port is of type PORT_UNKNOWN (indicating it was never properly initialized), the xmit_buf transmission buffer remains NULL.
The uart_write_room() function returns the available space via kfifo_avail(), which can report available space greater than zero even when xmit_buf is NULL. However, uart_write() explicitly checks for a NULL xmit_buf and returns 0 if it's not allocated. This creates a dangerous condition where a caller checking write availability receives a positive value, but subsequent write operations always return zero bytes written.
Drivers such as caif_serial that implement transmit handlers using a pattern of checking available room before writing become trapped in an infinite loop. The write room check succeeds (returning > 0), prompting a write attempt, but the actual write returns 0 bytes, keeping the loop condition true indefinitely.
Root Cause
The root cause is the lack of NULL pointer validation in uart_write_room() for the xmit_buf buffer. While uart_write() properly validates this buffer before attempting operations, the room-checking function does not perform the same validation, leading to inconsistent behavior that violates caller expectations about the relationship between available room and write capability.
Attack Vector
An attacker or malicious process with access to serial port interfaces could trigger this condition by:
- Opening a serial port that was never properly initialized (PORT_UNKNOWN type)
- Initiating write operations that cause the serial driver to check write room availability
- The kernel enters an infinite loop attempting to write to the uninitialized port
- System resources become exhausted, leading to denial of service
The vulnerability requires local access to the system and the ability to interact with serial port devices. While the direct exploitation path is local, systems with serial console access exposed to networks or containerized environments may have increased exposure.
Detection Methods for CVE-2026-23472
Indicators of Compromise
- System hangs or freezes associated with serial port activity
- High CPU utilization in kernel space with no corresponding I/O progress
- Kernel logs showing repeated serial port operations without data transmission
- Process traces showing infinite loops in handle_tx() or similar serial driver functions
Detection Strategies
- Monitor for kernel soft lockup warnings related to serial subsystem functions
- Implement watchdog timers to detect unresponsive serial communication paths
- Use kernel tracing (ftrace) to identify tight loops in UART/serial driver code paths
- Deploy system monitoring to alert on unexpected kernel CPU consumption patterns
Monitoring Recommendations
- Enable kernel lockup detection mechanisms (softlockup_panic, hardlockup_panic)
- Monitor /proc/interrupts for abnormal serial port interrupt patterns
- Implement system health checks that verify serial port responsiveness
- Log and alert on caif_serial driver initialization and operation anomalies
How to Mitigate CVE-2026-23472
Immediate Actions Required
- Apply the available kernel patches from the Linux stable tree immediately
- Audit serial port configurations to identify and properly initialize PORT_UNKNOWN ports
- Restrict access to serial port devices to authorized users and processes only
- Consider disabling unused serial ports at the kernel level or via BIOS/UEFI
Patch Information
The Linux kernel development team has released patches to address this vulnerability. The fix modifies uart_write_room() to check for a NULL xmit_buf and return 0 if it's not allocated, bringing it into consistency with uart_write() behavior.
Patches are available at the following commits:
Update to a kernel version containing these fixes or apply the patches to your current kernel build.
Workarounds
- Ensure all serial ports are properly initialized before allowing user-space access
- Disable the caif_serial module if not required: modprobe -r caif_serial
- Implement kernel module loading restrictions to prevent loading vulnerable driver modules
- Use SELinux or AppArmor policies to restrict access to serial port device nodes
# Disable caif_serial module and prevent auto-loading
echo "blacklist caif_serial" >> /etc/modprobe.d/blacklist-serial.conf
modprobe -r caif_serial
# Restrict serial port device permissions
chmod 600 /dev/ttyS*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
