The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in…
The SocketCAN implementation has a vulnerability that allows a local attacker to supply an incomplete or truncated frame, causing an out-of-bounds read and potentially leading to a denial-of-service crash or memory leak. This is due to the lack of proper validation of user-provided buffer lengths. Developers should prioritize input validation and bounds checking to prevent such attacks.
The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a userspace application that controls the length passed to a sendto syscall can supply an incomplete or truncated frame, causing socketcan_to_can_frame() to dereference fields beyond the end of the buffer. This results in an out-of-bounds read that can cause denial-of-service crashes or, because the parsed frame contents are transmitted on the network, leak adjacent memory.
Local users of the SocketCAN implementation are at medium risk of denial-of-service crashes or memory leaks due to the out-of-bounds read vulnerability.
Monitor & Review
Low severity — keep this CVE on your radar and patch during routine maintenance.
What should I do?
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
0
Affected Products
1
References
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Exploitability
Impact