Impact
RT‑Thread's ls1c CAN handler contains a stack‑based buffer overflow in the recvmsg function within ls1c_can.h. When a crafted CAN message is received, the function writes beyond the bounds of a stack buffer, corrupting control data. This overflow (CWE‑119 and CWE‑121) can allow an attacker who can send messages to the CAN controller to execute arbitrary code, crash the system, or otherwise compromise confidentiality, integrity, or availability of the embedded device.
Affected Systems
The flaw exists in firmware versions of RT‑Thread up to 5.0.2. All builds that include the ls1c CAN handler component, located in bsp/loongson/ls1cdev/libraries/ls1c_can.h, are affected. Deployments running RT‑Thread 5.0.2 or earlier and that expose the LS1C CAN interface to local traffic are vulnerable.
Risk and Exploitability
With a CVSS score of 8.5, the vulnerability is considered high severity. Local access is required to craft and send the malicious CAN messages that trigger the overflow. The CVE notes that the exploit is publicly available, indicating that an attacker with local connectivity to the CAN controller could feasibly exploit the weakness. The EPSS score indicates a low exploitation probability (<1%) and the issue is not listed in the CISA KEV catalog, but the existence of a public exploit demonstrates a realistic threat.
OpenCVE Enrichment