Cyber Posture

CVE-2026-31570

High

Published: 24 April 2026

Published
24 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31570 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation through kernel patching directly fixes the out-of-bounds heap access in cgw_csum_crc8_rel() by using bounds-safe indices throughout.

SI-10 Information Input Validation good match
prevent

Information input validation enforces bounds checking on signed indices like from_idx, to_idx, and result_idx to prevent OOB memory access in CAN FD frame processing.

SI-16 Memory Protection partial match
prevent

Memory protection mechanisms such as kernel address space layout randomization and heap isolation mitigate the impact of heap corruption from OOB writes.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Kernel heap OOB read/write in can-gw module (requiring CAP_NET_ADMIN) directly enables memory corruption that can be leveraged for privilege escalation on Linux hosts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: can: gw: fix OOB heap access in cgw_csum_crc8_rel() cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx(): int from = calc_idx(crc8->from_idx, cf->len); int to = calc_idx(crc8->to_idx, cf->len); int res = calc_idx(crc8->result_idx, cf->len);…

more

if (from < 0 || to < 0 || res < 0) return; However, the loop and the result write then use the raw s8 fields directly instead of the computed variables: for (i = crc8->from_idx; ...) /* BUG: raw negative index */ cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */ With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame, calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with i = -64, reading cf->data[-64], and the write goes to cf->data[-64]. This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the start of the canfd_frame on the heap. The companion function cgw_csum_xor_rel() uses `from`/`to`/`res` correctly throughout; fix cgw_csum_crc8_rel() to match. Confirmed with KASAN on linux-7.0-rc2: BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0 Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62 To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.

Deeper analysisAI

CVE-2026-31570 is an out-of-bounds heap access vulnerability in the Linux kernel's CAN gateway (can-gw) module, specifically within the cgw_csum_crc8_rel() function. The function correctly computes bounds-safe indices using calc_idx() based on signed 8-bit fields like from_idx, to_idx, and result_idx relative to the CAN FD frame length. However, the subsequent loop iteration and result write use the raw fields directly, allowing negative values—such as -64 on a 64-byte CAN FD frame—to bypass the bounds check and access memory offsets before the canfd_frame structure on the heap, up to 56 bytes in linux-7.0-rc or 40 bytes in kernels up to 6.19.

An adjacent attacker (AV:A) can exploit this with low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N). The CAN gateway must first be configured for CRC8 checksums, which requires CAP_NET_ADMIN capability. Once configured, the attacker can send a crafted CAN FD frame with negative from_idx, to_idx, and result_idx values, triggering out-of-bounds heap reads in the loop and a write to cf->data[-64]. This leads to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H; CVSS 8.8), enabling heap memory corruption as confirmed by KASAN reports.

Mitigation requires applying upstream kernel patches from the referenced stable commits, such as https://git.kernel.org/stable/c/54ecdf76a55e75c1f5085e440f8ab671a3283ef5, https://git.kernel.org/stable/c/66b689efd08227da2c5ca49b58b30a95d23c695a, and others. These patches fix cgw_csum_crc8_rel() to use the computed safe indices throughout the loop and write operations, consistent with the correctly implemented companion function cgw_csum_xor_rel(). The vulnerability aligns with CWE-125 (Out-of-bounds Read) and was verified using KASAN on linux-7.0-rc2 with a proof-of-concept named poc_cgw_oob.

Details

CWE(s)
CWE-125

Affected Products

linux
linux kernel
5.4, 7.0 · 5.4.1 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.168

CVEs Like This One

CVE-2026-23099Same product: Linux Linux Kernel
CVE-2026-23407Same product: Linux Linux Kernel
CVE-2025-71112Same product: Linux Linux Kernel
CVE-2026-43025Same product: Linux Linux Kernel
CVE-2026-31675Same product: Linux Linux Kernel
CVE-2026-43048Same product: Linux Linux Kernel
CVE-2026-31641Same product: Linux Linux Kernel
CVE-2026-23406Same product: Linux Linux Kernel
CVE-2024-57998Same product: Linux Linux Kernel
CVE-2026-31558Same product: Linux Linux Kernel

References