CVE-2026-31570: Linux Kernel CAN Gateway Heap Out-of-Bounds Access in cgw_csum_crc8_rel()
Short version: CVE-2026-31570 is a Linux kernel vulnerability in the SocketCAN CAN gateway code, specifically in the CRC8 checksum handling path in net/can/gw.c. The bug can cause out-of-bounds heap reads and writes when specially crafted CAN gateway CRC8 checksum parameters use negative relative indices. The fix is to use the already bounds-checked index values instead of the raw signed fields. The Linux CNA published the record on April 24, 2026, and the affected code path requires CAP_NET_ADMIN to configure CAN gateway CRC8 checksum rules.What is affected?
The vulnerability affects the Linux kernel’s CAN gateway subsystem, part of the broader SocketCAN stack. SocketCAN is Linux’s in-kernel implementation of CAN networking, using the Linux networking stack and socket API for Controller Area Network traffic, a technology common in automotive, industrial automation, robotics, and embedded systems.According to the CVE record, the affected source file is:
net/can/gw.cThe vulnerable function is:
cgw_csum_crc8_rel()The CVE record identifies Linux kernel versions starting at 5.4 as affected, with fixes reflected in stable versions including 5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and the original fix line for 7.0.
Technical cause
The bug is a classic “validated value not used” issue.The vulnerable function computes safe, normalized indexes using
calc_idx():
Code:
int from = calc_idx(crc8->from_idx, cf->len);
int to = calc_idx(crc8->to_idx, cf->len);
int res = calc_idx(crc8->result_idx, cf->len);
if (from < 0 || to < 0 || res < 0)
return;s8 fields instead of the checked from, to, and res variables. With values such as from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame, calc_idx(-64, 64) resolves to index 0, so the guard passes, but the later code still accesses cf->data[-64]. The CVE record says this can land 56 bytes before the start of the canfd_frame on Linux 7.0-rc or 40 bytes before it on kernels up to 6.19.The fix is straightforward: make
cgw_csum_crc8_rel() consistently use the validated from, to, and res variables, matching the safer behavior already used by the companion XOR checksum function cgw_csum_xor_rel().Impact
This is a kernel heap out-of-bounds read/write in a networking subsystem. In practice, that can mean:- kernel memory corruption,
- kernel crash or denial of service,
- potential privilege escalation depending on heap layout, mitigations, and exploitability,
- possible corruption of adjacent kernel heap objects.
linux-7.0-rc2, showing a slab out-of-bounds read in cgw_csum_crc8_rel().The practical risk is reduced by the requirement that the attacker must be able to configure CAN gateway CRC8 checksum rules, which requires CAP_NET_ADMIN. That usually means the attacker already has elevated privileges in the relevant network namespace, but this still matters because CAP_NET_ADMIN is often granted to containers, network appliances, embedded workloads, test systems, and CI environments more casually than full root.
Severity status
As of the data you provided, NVD had not yet completed enrichment and had not assigned its own NIST CVSS score. Some third-party vulnerability databases list a high severity rating; for example, Tenable lists CVSS v3 as 7.8 High and EPSS as very low at 0.00024, but those are third-party ratings rather than the NVD’s final enrichment result.A reasonable operational classification is: high importance for systems using CAN gateway functionality, lower urgency for systems without CAN support or without CAP_NET_ADMIN exposure to untrusted users.
Windows and WSL relevance
This is not a native Windows kernel vulnerability. It is a Linux kernel issue. However, it can still appear in Microsoft security tracking because Microsoft monitors third-party components and Linux environments relevant to Microsoft customers.For Windows users, the main areas to check are:
- WSL 2 environments
WSL 2 uses a real Linux kernel, and Microsoft documentation notes that.wslconfigcan configure the kernel used by WSL 2 distributions, including custom kernels. - Custom WSL kernels
If you built or deployed a custom WSL kernel with CAN and CAN gateway support enabled, verify whether it includes the fix. - Azure, IoT, embedded, or appliance Linux images
Any Linux environment with CAN gateway support may be relevant, especially automotive, robotics, manufacturing, lab, or hardware-in-the-loop systems. - Containers with CAP_NET_ADMIN
Containers granted CAP_NET_ADMIN may be able to reach sensitive network configuration functionality depending on kernel configuration and namespace exposure.
How to check exposure
On Linux systems, start with the running kernel version:uname -rThen check whether CAN gateway support is available or loaded:
Code:
lsmod | grep can
modinfo can-gw 2>/dev/null
Code:
zgrep CONFIG_CAN_GW /proc/config.gz
grep CONFIG_CAN_GW /boot/config-$(uname -r)CONFIG_CAN_GW=yor:
CONFIG_CAN_GW=mIf it is not enabled, the vulnerable code path is not present in that kernel build. If it is enabled as a module, ensure the module is not loaded unless needed, and patch the kernel.
Fixed versions to look for
Based on the CVE record, fixed or unaffected stable versions include:| Kernel branch | Fixed version threshold |
|---|---|
| 5.10.y | 5.10.253 or later |
| 5.15.y | 5.15.203 or later |
| 6.1.y | 6.1.168 or later |
| 6.6.y | 6.6.131 or later |
| 6.12.y | 6.12.80 or later |
| 6.18.y | 6.18.21 or later |
| 6.19.y | 6.19.11 or later |
| 7.0 line | fixed in 7.0 development line |
Mitigation guidance
The best fix is to update to a kernel that includes the relevant stable patch.If immediate patching is not possible:
- avoid loading
can-gwunless required; - restrict CAP_NET_ADMIN to trusted users and containers only;
- audit containers, systemd services, and orchestration policies that grant CAP_NET_ADMIN;
- avoid exposing CAN gateway configuration interfaces to untrusted workloads;
- monitor for crashes or KASAN-style reports involving
cgw_csum_crc8_rel; - prioritize embedded, automotive, robotics, and industrial systems where SocketCAN is actively used.
Bottom line
CVE-2026-31570 is a narrow but real Linux kernel memory-safety bug in the CAN gateway CRC8 checksum path. The exploitation precondition—CAP_NET_ADMIN—is important and lowers broad internet-scale risk, but it does not make the issue harmless. Systems that use SocketCAN, CAN FD, CAN gateway routing, or privileged containers should patch promptly, especially on kernels in the affected 5.4-and-newer range before the fixed stable releases.Source: NVD / Linux Kernel Security Update Guide - Microsoft Security Response Center
