CVE Catalog

CVE-2026-5071

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

1th percentile - higher than 1% of all known CVEs

Summary

The SocketCAN implementation in the Linux kernel fails to properly validate the length of a user-supplied buffer in zcan_sendto_ctx(). In production builds with assertions disabled, an application can supply a truncated frame, causing an out-of-bounds read.

Risk Assessment

An attacker can cause a denial-of-service crash or leak kernel memory contents over the network, as the out-of-bounds data is transmitted.

Recommendation

Immediately update the Linux kernel to a version containing the fix for CVE-2026-5071. Until then, restrict SocketCAN socket access to trusted applications only.

Original NVD description (English source)

The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a userspace application that controls the length passed to a sendto syscall can supply an incomplete or truncated frame, causing socketcan_to_can_frame() to dereference fields beyond the end of the buffer. This results in an out-of-bounds read that can cause denial-of-service crashes or, because the parsed frame contents are transmitted on the network, leak adjacent memory.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS