can: gw: fix OOB heap access in cgw_csum_crc8_rel()_CVE-2026-31570

8.8 / 10

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

can: gw: fix OOB heap access in cgw_csum_crc8_rel()

cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():

int from = calc_idx(crc8->from_idx, cf->len);
int to = calc_idx(crc8->to_idx, cf->len);
int res = calc_idx(crc8->result_idx, cf->len);

if (from < 0 || to < 0 || res < 0)
return;

However, the loop and the result write then use the raw s8 fields directly
instead of the computed variables:

for (i = crc8->from_idx; ...) /* BUG: raw negative index */
cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */

With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,
calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with
i = -64, reading cf->data[-64], and the write goes to cf->data[-64].
This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the
start of the canfd_frame on the heap.

The companion function cgw_csum_xor_rel() uses `from`/`to`/`res`
correctly throughout; fix cgw_csum_crc8_rel() to match.

Confirmed with KASAN on linux-7.0-rc2:
BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0
Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62

To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.

AI Analysis

AI processing failed - invalid JSON response

Basic Information

ID CVE-2026-31570

Source Linux

Published Apr 24, 2026 at 14:35

Modified Apr 27, 2026 at 14:04

Affected Product

Vendor Linux

Product Linux

Version 456a8a646b2563438c16a9b27decf9aa717f1ebb

Affected Versions Linux Linux 456a8a646b2563438c16a9b27decf9aa717f1ebb
Linux Linux 456a8a646b2563438c16a9b27decf9aa717f1ebb
Linux Linux 456a8a646b2563438c16a9b27decf9aa717f1ebb
Linux Linux 456a8a646b2563438c16a9b27decf9aa717f1ebb
Linux Linux 456a8a646b2563438c16a9b27decf9aa717f1ebb
Linux Linux 456a8a646b2563438c16a9b27decf9aa717f1ebb
Linux Linux 456a8a646b2563438c16a9b27decf9aa717f1ebb
Linux Linux 456a8a646b2563438c16a9b27decf9aa717f1ebb
Linux Linux 5.4

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gw: fix OOB heap access in cgw_csum_crc8_rel()\n\ncgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():\n\n    int from = calc_idx(crc8->from_idx, cf->len);\n    int to   = calc_idx(crc8->to_idx,   cf->len);\n    int res  = calc_idx(crc8->result_idx, cf->len);\n\n    if (from < 0 || to < 0 || res < 0)\n        return;\n\nHowever, the loop and the result write then use the raw s8 fields directly\ninstead of the computed variables:\n\n    for (i = crc8->from_idx; ...)        /* BUG: raw negative index */\n    cf->data[crc8->result_idx] = ...;    /* BUG: raw negative index */\n\nWith from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,\ncalc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with\ni = -64, reading cf->data[-64], and the write goes to cf->data[-64].\nThis write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the\nstart of the canfd_frame on the heap.\n\nThe companion function cgw_csum_xor_rel() uses `from`/`to`/`res`\ncorrectly throughout; fix cgw_csum_crc8_rel() to match.\n\nConfirmed with KASAN on linux-7.0-rc2:\n  BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0\n  Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62\n\nTo configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.",
    "published": "2026-04-24T14:35:49.435Z",
    "modified": "2026-04-27T14:04:09.044Z",
    "type": "cve",
    "title": "can: gw: fix OOB heap access in cgw_csum_crc8_rel()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/e7c99348b0612b2bc02d5ce6ff9873261cc7605f\nhttps://git.kernel.org/stable/c/999ca48d55a8a46da21519db7e834e5867200379\nhttps://git.kernel.org/stable/c/a025283d7f7404c739225e457fb99db2368bb544\nhttps://git.kernel.org/stable/c/54ecdf76a55e75c1f5085e440f8ab671a3283ef5\nhttps://git.kernel.org/stable/c/c4e8eaa75fa0b6bcbfa5356d6195c4ad0e05e57a\nhttps://git.kernel.org/stable/c/84f8b76d24273175a22713e83e90874e1880d801\nhttps://git.kernel.org/stable/c/66b689efd08227da2c5ca49b58b30a95d23c695a\nhttps://git.kernel.org/stable/c/b9c310d72783cc2f30d103eed83920a5a29c671a",
    "id": "CVE-2026-31570",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 456a8a646b2563438c16a9b27decf9aa717f1ebb\nLinux Linux 456a8a646b2563438c16a9b27decf9aa717f1ebb\nLinux Linux 456a8a646b2563438c16a9b27decf9aa717f1ebb\nLinux Linux 456a8a646b2563438c16a9b27decf9aa717f1ebb\nLinux Linux 456a8a646b2563438c16a9b27decf9aa717f1ebb\nLinux Linux 456a8a646b2563438c16a9b27decf9aa717f1ebb\nLinux Linux 456a8a646b2563438c16a9b27decf9aa717f1ebb\nLinux Linux 456a8a646b2563438c16a9b27decf9aa717f1ebb\nLinux Linux 5.4",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "456a8a646b2563438c16a9b27decf9aa717f1ebb",
    "vendor": "Linux",
    "ai_description": "AI processing failed - invalid JSON response",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}