Skip to main content

Linux Kernel EUVDEUVD-2026-25463

| CVE-2026-31570 HIGH
Out-of-bounds Read (CWE-125)
2026-04-24 Linux GHSA-67vp-4p2p-jr3c
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:37 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:33 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:31 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
8.8 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25463
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:35 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

can: gw: fix OOB heap access in cgw_csum_crc8_rel()

cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():

int from = calc_idx(crc8->from_idx, cf->len); int to = calc_idx(crc8->to_idx, cf->len); int res = calc_idx(crc8->result_idx, cf->len);

if (from < 0 || to < 0 || res < 0) return;

However, the loop and the result write then use the raw s8 fields directly instead of the computed variables:

for (i = crc8->from_idx; ...) /* BUG: raw negative index */ cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */

With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame, calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with i = -64, reading cf->data[-64], and the write goes to cf->data[-64]. This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the start of the canfd_frame on the heap.

The companion function cgw_csum_xor_rel() uses from/to/res correctly throughout; fix cgw_csum_crc8_rel() to match.

Confirmed with KASAN on linux-7.0-rc2: BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0 Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62

To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.

AnalysisAI

Out-of-bounds heap write in Linux kernel CAN gateway CRC8 checksum processing allows adjacent network attackers to corrupt kernel memory and potentially achieve code execution. The cgw_csum_crc8_rel() function in the CAN gateway subsystem uses raw negative index values instead of bounds-checked variables when accessing canfd_frame data, enabling writes up to 56 bytes before the heap object. Exploitation requires CAP_NET_ADMIN capability to configure CAN gateway CRC8 checksums. EPSS exploitation probability is very low (0.02%, 7th percentile) and no active exploitation has been reported. Vendor patches available across multiple kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0).

Technical ContextAI

The vulnerability exists in the Linux kernel's Controller Area Network (CAN) gateway subsystem, specifically in net/can/gw.c. CAN is a vehicle bus standard used in automotive and industrial control systems, and the kernel's CAN gateway provides routing and modification capabilities for CAN frames. The cgw_csum_crc8_rel() function implements CRC8 checksum computation for CAN frame manipulation. The function correctly validates indices using calc_idx() helper that converts potentially negative s8 index values into safe offsets based on frame length, but then fails to use the validated variables (from, to, res) in the actual loop and memory write operations. Instead, it directly uses the raw crc8->from_idx, crc8->to_idx, and crc8->result_idx fields, which can be negative. With specially crafted negative indices (-64 on a 64-byte CAN FD frame), calc_idx(-64, 64) returns 0 (passing validation), but the loop counter and array access use the raw -64 value, resulting in out-of-bounds heap access to cf->data[-64]. The issue was confirmed with KASAN (Kernel Address Sanitizer) on linux-7.0-rc2. The vulnerability affects kernel versions from 5.4 onward where commit 456a8a646b25 introduced the flawed code.

RemediationAI

Upgrade to patched kernel versions: 5.10.253+ for 5.10.y LTS, 5.15.203+ for 5.15.y LTS, 6.1.168+ for 6.1.y LTS, 6.6.131+ for 6.6.y stable, 6.12.80+ for 6.12.y, 6.18.21+ for 6.18.y, 6.19.11+ for 6.19.y, or 7.0+ for mainline. Upstream fix commits are available at https://git.kernel.org/stable/c/b9c310d72783cc2f30d103eed83920a5a29c671a and related stable branch URLs in references. If immediate patching is not feasible, consider these compensating controls with their trade-offs: (1) Disable the CAN gateway module entirely with 'modprobe -r can-gw' or blacklist it in /etc/modprobe.d/ - this prevents all CAN frame routing/manipulation functionality, acceptable if CAN gateway features are not required; (2) Restrict CAP_NET_ADMIN capability using Linux security modules (AppArmor, SELinux) or container capabilities dropping - limits who can configure CAN gateways but may break legitimate administrative tools; (3) If running in containers, ensure CAN network namespaces are isolated and CAP_NET_ADMIN is dropped from container capabilities - reduces attack surface but requires careful orchestration configuration. Note that simply filtering CAN traffic at network level is ineffective since the vulnerability is triggered by local configuration, not by malicious CAN frames on the bus. Organizations should audit which systems actually require CAN gateway functionality before applying mitigations.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-25463 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy