{"id":"CVE-2026-31570","summary":"can: gw: fix OOB heap access in cgw_csum_crc8_rel()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gw: fix OOB heap access in cgw_csum_crc8_rel()\n\ncgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():\n\n    int from = calc_idx(crc8-\u003efrom_idx, cf-\u003elen);\n    int to   = calc_idx(crc8-\u003eto_idx,   cf-\u003elen);\n    int res  = calc_idx(crc8-\u003eresult_idx, cf-\u003elen);\n\n    if (from \u003c 0 || to \u003c 0 || res \u003c 0)\n        return;\n\nHowever, the loop and the result write then use the raw s8 fields directly\ninstead of the computed variables:\n\n    for (i = crc8-\u003efrom_idx; ...)        /* BUG: raw negative index */\n    cf-\u003edata[crc8-\u003eresult_idx] = ...;    /* BUG: raw negative index */\n\nWith from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,\ncalc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with\ni = -64, reading cf-\u003edata[-64], and the write goes to cf-\u003edata[-64].\nThis write might end up to 56 (7.0-rc) or 40 (\u003c= 6.19) bytes before the\nstart of the canfd_frame on the heap.\n\nThe companion function cgw_csum_xor_rel() uses `from`/`to`/`res`\ncorrectly throughout; fix cgw_csum_crc8_rel() to match.\n\nConfirmed with KASAN on linux-7.0-rc2:\n  BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0\n  Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62\n\nTo configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.","modified":"2026-05-13T03:52:17.472313222Z","published":"2026-04-24T14:35:49.435Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31570.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/54ecdf76a55e75c1f5085e440f8ab671a3283ef5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/66b689efd08227da2c5ca49b58b30a95d23c695a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/84f8b76d24273175a22713e83e90874e1880d801"},{"type":"WEB","url":"https://git.kernel.org/stable/c/999ca48d55a8a46da21519db7e834e5867200379"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a025283d7f7404c739225e457fb99db2368bb544"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b9c310d72783cc2f30d103eed83920a5a29c671a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c4e8eaa75fa0b6bcbfa5356d6195c4ad0e05e57a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e7c99348b0612b2bc02d5ce6ff9873261cc7605f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31570.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31570"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"456a8a646b2563438c16a9b27decf9aa717f1ebb"},{"fixed":"e7c99348b0612b2bc02d5ce6ff9873261cc7605f"},{"fixed":"999ca48d55a8a46da21519db7e834e5867200379"},{"fixed":"a025283d7f7404c739225e457fb99db2368bb544"},{"fixed":"54ecdf76a55e75c1f5085e440f8ab671a3283ef5"},{"fixed":"c4e8eaa75fa0b6bcbfa5356d6195c4ad0e05e57a"},{"fixed":"84f8b76d24273175a22713e83e90874e1880d801"},{"fixed":"66b689efd08227da2c5ca49b58b30a95d23c695a"},{"fixed":"b9c310d72783cc2f30d103eed83920a5a29c671a"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31570.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.4.0"},{"fixed":"5.10.253"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.203"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.168"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.131"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.80"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.21"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31570.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}