Description
The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a userspace application that controls the length passed to a sendto syscall can supply an incomplete or truncated frame, causing socketcan_to_can_frame() to dereference fields beyond the end of the buffer. This results in an out-of-bounds read that can cause denial-of-service crashes or, because the parsed frame contents are transmitted on the network, leak adjacent memory.
Published: 2026-05-30
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Zephyr’s SocketCAN implementation allows a user to send a frame that is shorter than the expected socketcan_frame structure. When assertions are disabled, the code fails to check the provided length before dereferencing fields beyond the buffer. This out‐of‐bounds read can crash the kernel or, if the parsed frame is sent onto the network, leak adjacent memory containing sensitive information. The primary impact is a denial of service with potential confidentiality exposure.

Affected Systems

Zephyr RTOS is affected. No specific version range is listed, but the vulnerability is tied to the SocketCAN component of the Zephyr project.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is local; an attacker with the ability to invoke the sendto syscall on the CAN device can provide custom frame data, triggering the vulnerability. Exploitation does not require elevated privileges beyond those normally needed to write to the CAN interface.

Generated by OpenCVE AI on May 30, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Zephyr release that patches the SocketCAN length validation issue referenced in advisory GHSA-c3w6-x7m3-3c58.
  • Restrict write access to the CAN device node so that only trusted users can invoke sendto, limiting the ability of untrusted applications to supply malformed frames.
  • If a patch cannot be applied immediately, monitor for CAN-related crashes and consider disabling the CAN interface until the fix is deployed.

Generated by OpenCVE AI on May 30, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject-rtos
Zephyrproject-rtos zephyr
Vendors & Products Zephyrproject-rtos
Zephyrproject-rtos zephyr

Sat, 30 May 2026 08:15:00 +0000

Type Values Removed Values Added
Description The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a userspace application that controls the length passed to a sendto syscall can supply an incomplete or truncated frame, causing socketcan_to_can_frame() to dereference fields beyond the end of the buffer. This results in an out-of-bounds read that can cause denial-of-service crashes or, because the parsed frame contents are transmitted on the network, leak adjacent memory.
Title can: Local Denial of Service via SocketCAN Send
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H'}

Subscriptions

Zephyrproject-rtos Zephyr
cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-05-30T07:15:56.417Z

Reserved: 2026-03-27T23:41:28.910Z

Link: CVE-2026-5071

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T08:16:16.370

Modified: 2026-05-30T08:16:16.370

Link: CVE-2026-5071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T10:00:10Z

Weaknesses