GHSA-QXH5-H6MX-QV45
Vulnerability from github – Published: 2025-12-16 18:31 – Updated: 2025-12-16 18:31In the Linux kernel, the following vulnerability has been resolved:
can: kvaser_usb: leaf: Fix potential infinite loop in command parsers
The kvaser_usb_leaf_wait_cmd() and kvaser_usb_leaf_read_bulk_callback
functions contain logic to zero-length commands. These commands are used
to align data to the USB endpoint's wMaxPacketSize boundary.
The driver attempts to skip these placeholders by aligning the buffer
position pos to the next packet boundary using round_up() function.
However, if zero-length command is found exactly on a packet boundary
(i.e., pos is a multiple of wMaxPacketSize, including 0), round_up
function will return the unchanged value of pos. This prevents pos
to be increased, causing an infinite loop in the parsing logic.
This patch fixes this in the function by using pos + 1 instead.
This ensures that even if pos is on a boundary, the calculation is
based on pos + 1, forcing round_up() to always return the next
aligned boundary.
{
"affected": [],
"aliases": [
"CVE-2025-68308"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-16T16:16:10Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_usb: leaf: Fix potential infinite loop in command parsers\n\nThe `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback`\nfunctions contain logic to zero-length commands. These commands are used\nto align data to the USB endpoint\u0027s wMaxPacketSize boundary.\n\nThe driver attempts to skip these placeholders by aligning the buffer\nposition `pos` to the next packet boundary using `round_up()` function.\n\nHowever, if zero-length command is found exactly on a packet boundary\n(i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up`\nfunction will return the unchanged value of `pos`. This prevents `pos`\nto be increased, causing an infinite loop in the parsing logic.\n\nThis patch fixes this in the function by using `pos + 1` instead.\nThis ensures that even if `pos` is on a boundary, the calculation is\nbased on `pos + 1`, forcing `round_up()` to always return the next\naligned boundary.",
"id": "GHSA-qxh5-h6mx-qv45",
"modified": "2025-12-16T18:31:34Z",
"published": "2025-12-16T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68308"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/028e89c7e8b4346302e88df01cc50e0a1f05791a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0897cea266e39166a36111059ba147192b36592f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0c73772cd2b8cc108d5f5334de89ad648d89b9ec"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/58343e0a4d43699f0e2f5b169384bbe4c0217add"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/69c7825df64e24dc15d31631a1fc9145324b1345"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bd8135a560cf6e64f0b98ed4daadf126a38f7f48"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e9dd83a75a7274edef21682c823bf0b66d7b6b7f"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.