CVE-2026-5071
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk1th percentile - higher than 1% of all known CVEs
Summary
The SocketCAN implementation in the Linux kernel fails to properly validate the length of a user-supplied buffer in zcan_sendto_ctx(). In production builds with assertions disabled, an application can supply a truncated frame, causing an out-of-bounds read.
Risk Assessment
An attacker can cause a denial-of-service crash or leak kernel memory contents over the network, as the out-of-bounds data is transmitted.
Recommendation
Immediately update the Linux kernel to a version containing the fix for CVE-2026-5071. Until then, restrict SocketCAN socket access to trusted applications only.
Original NVD description (English source)
The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a userspace application that controls the length passed to a sendto syscall can supply an incomplete or truncated frame, causing socketcan_to_can_frame() to dereference fields beyond the end of the buffer. This results in an out-of-bounds read that can cause denial-of-service crashes or, because the parsed frame contents are transmitted on the network, leak adjacent memory.

