{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31570", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.117Z", "datePublished": "2026-04-24T14:35:49.435Z", "dateUpdated": "2026-05-11T22:11:20.659Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:11:20.659Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gw: fix OOB heap access in cgw_csum_crc8_rel()\n\ncgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():\n\n int from = calc_idx(crc8->from_idx, cf->len);\n int to = calc_idx(crc8->to_idx, cf->len);\n int res = calc_idx(crc8->result_idx, cf->len);\n\n if (from < 0 || to < 0 || res < 0)\n return;\n\nHowever, the loop and the result write then use the raw s8 fields directly\ninstead of the computed variables:\n\n for (i = crc8->from_idx; ...) /* BUG: raw negative index */\n cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */\n\nWith from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,\ncalc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with\ni = -64, reading cf->data[-64], and the write goes to cf->data[-64].\nThis write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the\nstart of the canfd_frame on the heap.\n\nThe companion function cgw_csum_xor_rel() uses `from`/`to`/`res`\ncorrectly throughout; fix cgw_csum_crc8_rel() to match.\n\nConfirmed with KASAN on linux-7.0-rc2:\n BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0\n Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62\n\nTo configure the can-gw crc8 checksums CAP_NET_ADMIN is needed."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/can/gw.c"], "versions": [{"version": "456a8a646b2563438c16a9b27decf9aa717f1ebb", "lessThan": "e7c99348b0612b2bc02d5ce6ff9873261cc7605f", "status": "affected", "versionType": "git"}, {"version": "456a8a646b2563438c16a9b27decf9aa717f1ebb", "lessThan": "999ca48d55a8a46da21519db7e834e5867200379", "status": "affected", "versionType": "git"}, {"version": "456a8a646b2563438c16a9b27decf9aa717f1ebb", "lessThan": "a025283d7f7404c739225e457fb99db2368bb544", "status": "affected", "versionType": "git"}, {"version": "456a8a646b2563438c16a9b27decf9aa717f1ebb", "lessThan": "54ecdf76a55e75c1f5085e440f8ab671a3283ef5", "status": "affected", "versionType": "git"}, {"version": "456a8a646b2563438c16a9b27decf9aa717f1ebb", "lessThan": "c4e8eaa75fa0b6bcbfa5356d6195c4ad0e05e57a", "status": "affected", "versionType": "git"}, {"version": "456a8a646b2563438c16a9b27decf9aa717f1ebb", "lessThan": "84f8b76d24273175a22713e83e90874e1880d801", "status": "affected", "versionType": "git"}, {"version": "456a8a646b2563438c16a9b27decf9aa717f1ebb", "lessThan": "66b689efd08227da2c5ca49b58b30a95d23c695a", "status": "affected", "versionType": "git"}, {"version": "456a8a646b2563438c16a9b27decf9aa717f1ebb", "lessThan": "b9c310d72783cc2f30d103eed83920a5a29c671a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/can/gw.c"], "versions": [{"version": "5.4", "status": "affected"}, {"version": "0", "lessThan": "5.4", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.131", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.80", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "6.6.131"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e7c99348b0612b2bc02d5ce6ff9873261cc7605f"}, {"url": "https://git.kernel.org/stable/c/999ca48d55a8a46da21519db7e834e5867200379"}, {"url": "https://git.kernel.org/stable/c/a025283d7f7404c739225e457fb99db2368bb544"}, {"url": "https://git.kernel.org/stable/c/54ecdf76a55e75c1f5085e440f8ab671a3283ef5"}, {"url": "https://git.kernel.org/stable/c/c4e8eaa75fa0b6bcbfa5356d6195c4ad0e05e57a"}, {"url": "https://git.kernel.org/stable/c/84f8b76d24273175a22713e83e90874e1880d801"}, {"url": "https://git.kernel.org/stable/c/66b689efd08227da2c5ca49b58b30a95d23c695a"}, {"url": "https://git.kernel.org/stable/c/b9c310d72783cc2f30d103eed83920a5a29c671a"}], "title": "can: gw: fix OOB heap access in cgw_csum_crc8_rel()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5CE4B3A5-1831-420D-B001-512B8103441C", "versionEndExcluding": "5.10.253", "versionStartIncluding": "5.4.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B", "versionEndExcluding": "6.1.168", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE6ED4D4-0046-4573-BFA9-D64143B6A89F", "versionEndExcluding": "6.6.131", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.4:-:*:*:*:*:*:*", "matchCriteriaId": "4D70AB13-37BE-4BD3-A652-10191F1642E4", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gw: fix OOB heap access in cgw_csum_crc8_rel()\n\ncgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():\n\n int from = calc_idx(crc8->from_idx, cf->len);\n int to = calc_idx(crc8->to_idx, cf->len);\n int res = calc_idx(crc8->result_idx, cf->len);\n\n if (from < 0 || to < 0 || res < 0)\n return;\n\nHowever, the loop and the result write then use the raw s8 fields directly\ninstead of the computed variables:\n\n for (i = crc8->from_idx; ...) /* BUG: raw negative index */\n cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */\n\nWith from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,\ncalc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with\ni = -64, reading cf->data[-64], and the write goes to cf->data[-64].\nThis write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the\nstart of the canfd_frame on the heap.\n\nThe companion function cgw_csum_xor_rel() uses `from`/`to`/`res`\ncorrectly throughout; fix cgw_csum_crc8_rel() to match.\n\nConfirmed with KASAN on linux-7.0-rc2:\n BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0\n Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62\n\nTo configure the can-gw crc8 checksums CAP_NET_ADMIN is needed."}], "id": "CVE-2026-31570", "lastModified": "2026-04-27T20:33:16.367", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:31.520", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/54ecdf76a55e75c1f5085e440f8ab671a3283ef5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/66b689efd08227da2c5ca49b58b30a95d23c695a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/84f8b76d24273175a22713e83e90874e1880d801"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/999ca48d55a8a46da21519db7e834e5867200379"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a025283d7f7404c739225e457fb99db2368bb544"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b9c310d72783cc2f30d103eed83920a5a29c671a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c4e8eaa75fa0b6bcbfa5356d6195c4ad0e05e57a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e7c99348b0612b2bc02d5ce6ff9873261cc7605f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: can: gw: fix OOB heap access in cgw_csum_crc8_rel()", "id": "2461554", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461554"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-786", "details": ["A flaw was found in the Linux kernel's Controller Area Network (CAN) gateway module. An attacker with CAP_NET_ADMIN capabilities could exploit an out-of-bounds heap access vulnerability in the cgw_csum_crc8_rel() function. This flaw occurs due to incorrect index handling, where raw negative indices are used instead of properly calculated bounds-safe indices. Successful exploitation could lead to memory corruption, potentially resulting in a denial of service or information disclosure."], "name": "CVE-2026-31570", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31570\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31570\nhttps://lore.kernel.org/linux-cve-announce/2026042402-CVE-2026-31570-5f18@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[456a8a646b2563438c16a9b27decf9aa717f1ebb,e7c99348b0612b2bc02d5ce6ff9873261cc7605f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[456a8a646b2563438c16a9b27decf9aa717f1ebb,999ca48d55a8a46da21519db7e834e5867200379)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[456a8a646b2563438c16a9b27decf9aa717f1ebb,a025283d7f7404c739225e457fb99db2368bb544)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[456a8a646b2563438c16a9b27decf9aa717f1ebb,54ecdf76a55e75c1f5085e440f8ab671a3283ef5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[456a8a646b2563438c16a9b27decf9aa717f1ebb,c4e8eaa75fa0b6bcbfa5356d6195c4ad0e05e57a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[456a8a646b2563438c16a9b27decf9aa717f1ebb,84f8b76d24273175a22713e83e90874e1880d801)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[456a8a646b2563438c16a9b27decf9aa717f1ebb,66b689efd08227da2c5ca49b58b30a95d23c695a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[456a8a646b2563438c16a9b27decf9aa717f1ebb,b9c310d72783cc2f30d103eed83920a5a29c671a)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "5.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.253,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.203,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.131,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.80,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T20:17:32.005893+00:00", "value": {"mitigation_remediation": ["Upgrade the system kernel to a version that contains the patch for CVE\u20112026\u201131570 (for example, Linux kernel 7.0\u2011rc2 or newer).", "Restrict CAP_NET_ADMIN privileges to trusted administrators only, and audit users with this capability.", "If an upgrade is not immediately possible, disable CAN gateway checksum verification by setting the appropriate kernel parameter (e.g., `can.gw.checksum=off`) to eliminate the vulnerable code path."], "summary": {"action": "Immediate Patch", "impact": "Out\u2011of\u2011bounds heap access potentially enabling arbitrary code execution"}, "threat_synthesis": {"affected_systems": "Affected systems are Linux kernel versions 5.4 and the 7.0 release candidates from RC1 through RC7. The issue is present in the default kernel configuration that enables CAN gateway checksum verification and requires CAP_NET_ADMIN privileges to configure the CAN gateway checksums.", "description_and_impact": "The vulnerability is an out\u2011of\u2011bounds (OOB) heap read/write in the Linux kernel CAN gateway checksum routine cgw_csum_crc8_rel(). The routine incorrectly uses raw signed byte indices instead of precomputed, bounds\u2011checked values, allowing the loop and write to reference memory before the start of a canfd_frame. This can corrupt adjacent heap data, causing a crash or providing a foothold for arbitrary code execution. The weakness is catalogued as CWE\u2011125 (Out\u2011of\u2011Bounds Read) and CWE\u2011786 (Out\u2011of\u2011Bounds Write).", "risk_and_exploitability": "The CVSS score of 8.8 reflects a high\u2011risk vulnerability. The EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis, and the vulnerability is not listed in CISA's KEV catalog, implying no known public exploits. Based on the description, it is inferred that exploitation would likely require a user with CAP_NET_ADMIN privileges to configure the CAN gateway, or an attacker capable of injecting malicious CAN frames that trigger checksum calculation. The impact is limited to the local system, but the potential for arbitrary code execution is high if exploited. Upgrade to a patched kernel or mitigate through privilege restrictions is strongly recommended."}}}}, "created": "2026-04-27T19:00:15.751919+00:00", "updated": "2026-04-28T20:30:06.171526+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}