Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local userspace app with low privileges controls the sendto length (AV:L/PR:L/AC:L); the OOB read yields memory disclosure (C:H) and crashes (A:H) but modifies no state, so I:N rather than the reported I:H.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a userspace application that controls the length passed to a sendto syscall can supply an incomplete or truncated frame, causing socketcan_to_can_frame() to dereference fields beyond the end of the buffer. This results in an out-of-bounds read that can cause denial-of-service crashes or, because the parsed frame contents are transmitted on the network, leak adjacent memory.
AnalysisAI
Out-of-bounds read in the Zephyr RTOS SocketCAN implementation lets a local userspace application leak adjacent memory or crash the system by submitting a truncated CAN frame through the sendto syscall. The zcan_sendto_ctx() path guards the user-supplied buffer length only with a NET_ASSERT, which is compiled out of production builds, so socketcan_to_can_frame() then dereferences fields past the end of the buffer. All Zephyr versions up to and including 4.3 are affected; there is no public exploit identified at time of analysis and EPSS is negligible (0.01%, 2nd percentile).
Technical ContextAI
Zephyr is an open-source real-time operating system for resource-constrained embedded and IoT devices. The flaw lives in its SocketCAN networking layer, which exposes a BSD-style socket API over the CAN (Controller Area Network) bus. When a userspace application calls sendto() with a socketcan_frame object, zcan_sendto_ctx() is supposed to verify that the caller-supplied length is large enough to hold a full frame, but it does so with a NET_ASSERT - a debug-only assertion that is disabled (compiled to a no-op) in production builds. socketcan_to_can_frame() subsequently reads frame fields (such as CAN ID, DLC, and data bytes) at fixed offsets, and with a truncated buffer those reads fall past the allocation boundary. This is a classic CWE-125 out-of-bounds read caused by trusting an assertion for security-relevant input validation rather than an unconditional runtime check.
RemediationAI
Upgrade to a Zephyr release beyond 4.3 that contains the fix; the GHSA advisory (https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-c3w6-x7m3-3c58) is the authoritative source for the exact patched version, which is not independently confirmed from the available data - no fixed version string was provided, so treat patch availability as per-vendor-advisory only. As a compensating control until patching, add an unconditional length check in zcan_sendto_ctx() before calling socketcan_to_can_frame(), or if you build your own image temporarily keep NET_ASSERT enabled in the affected build (trade-off: assertions increase code size and halt the system on trigger, which may be undesirable in production). Operationally, restrict which userspace applications may open and write to SocketCAN sockets, since exploitation requires a local process that can issue the sendto syscall on a CAN socket. See https://vuldb.com/vuln/367420 for supplementary tracking.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33449