Description
In the Linux kernel, the following vulnerability has been resolved:

can: gw: fix OOB heap access in cgw_csum_crc8_rel()

cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():

int from = calc_idx(crc8->from_idx, cf->len);
int to = calc_idx(crc8->to_idx, cf->len);
int res = calc_idx(crc8->result_idx, cf->len);

if (from < 0 || to < 0 || res < 0)
return;

However, the loop and the result write then use the raw s8 fields directly
instead of the computed variables:

for (i = crc8->from_idx; ...) /* BUG: raw negative index */
cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */

With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,
calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with
i = -64, reading cf->data[-64], and the write goes to cf->data[-64].
This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the
start of the canfd_frame on the heap.

The companion function cgw_csum_xor_rel() uses `from`/`to`/`res`
correctly throughout; fix cgw_csum_crc8_rel() to match.

Confirmed with KASAN on linux-7.0-rc2:
BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0
Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62

To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.
Published: 2026-04-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Out‑of‑bounds heap access potentially enabling arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an out‑of‑bounds (OOB) heap read/write in the Linux kernel CAN gateway checksum routine cgw_csum_crc8_rel(). The routine incorrectly uses raw signed byte indices instead of precomputed, bounds‑checked values, allowing the loop and write to reference memory before the start of a canfd_frame. This can corrupt adjacent heap data, causing a crash or providing a foothold for arbitrary code execution. The weakness is catalogued as CWE‑125 (Out‑of‑Bounds Read) and CWE‑786 (Out‑of‑Bounds Write).

Affected Systems

Affected systems are Linux kernel versions 5.4 and the 7.0 release candidates from RC1 through RC7. The issue is present in the default kernel configuration that enables CAN gateway checksum verification and requires CAP_NET_ADMIN privileges to configure the CAN gateway checksums.

Risk and Exploitability

The CVSS score of 8.8 reflects a high‑risk vulnerability. The EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis, and the vulnerability is not listed in CISA's KEV catalog, implying no known public exploits. Based on the description, it is inferred that exploitation would likely require a user with CAP_NET_ADMIN privileges to configure the CAN gateway, or an attacker capable of injecting malicious CAN frames that trigger checksum calculation. The impact is limited to the local system, but the potential for arbitrary code execution is high if exploited. Upgrade to a patched kernel or mitigate through privilege restrictions is strongly recommended.

Generated by OpenCVE AI on April 28, 2026 at 20:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the system kernel to a version that contains the patch for CVE‑2026‑31570 (for example, Linux kernel 7.0‑rc2 or newer).
  • Restrict CAP_NET_ADMIN privileges to trusted administrators only, and audit users with this capability.
  • If an upgrade is not immediately possible, disable CAN gateway checksum verification by setting the appropriate kernel parameter (e.g., `can.gw.checksum=off`) to eliminate the vulnerable code path.

Generated by OpenCVE AI on April 28, 2026 at 20:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:5.4:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-786
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: can: gw: fix OOB heap access in cgw_csum_crc8_rel() cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx(): int from = calc_idx(crc8->from_idx, cf->len); int to = calc_idx(crc8->to_idx, cf->len); int res = calc_idx(crc8->result_idx, cf->len); if (from < 0 || to < 0 || res < 0) return; However, the loop and the result write then use the raw s8 fields directly instead of the computed variables: for (i = crc8->from_idx; ...) /* BUG: raw negative index */ cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */ With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame, calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with i = -64, reading cf->data[-64], and the write goes to cf->data[-64]. This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the start of the canfd_frame on the heap. The companion function cgw_csum_xor_rel() uses `from`/`to`/`res` correctly throughout; fix cgw_csum_crc8_rel() to match. Confirmed with KASAN on linux-7.0-rc2: BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0 Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62 To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.
Title can: gw: fix OOB heap access in cgw_csum_crc8_rel()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:11:20.659Z

Reserved: 2026-03-09T15:48:24.117Z

Link: CVE-2026-31570

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:31.520

Modified: 2026-04-27T20:33:16.367

Link: CVE-2026-31570

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31570 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:30:06Z

Weaknesses