CVE-2026-5071: Out-of-bounds Read in zephyrproject-rtos Zephyr
The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a userspace application that controls the length passed to a sendto syscall can supply an incomplete or truncated frame, causing socketcan_to_can_frame() to dereference fields beyond the end of the buffer. This results in an out-of-bounds read that can cause denial-of-service crashes or, because the parsed frame contents are transmitted on the network, leak adjacent memory.
AI Analysis
Technical Summary
The vulnerability exists in Zephyr's SocketCAN code where the length of a socketcan_frame buffer is checked only by a NET_ASSERT in zcan_sendto_ctx(). In production builds, assertions are disabled, so an attacker controlling the length parameter to the sendto syscall can provide a truncated frame. This causes socketcan_to_can_frame() to dereference memory beyond the buffer end, resulting in an out-of-bounds read. The impact includes potential denial-of-service due to crashes and leakage of adjacent memory through network transmission of the malformed frame.
Potential Impact
An attacker with limited privileges (local user with permission to send socketcan frames) can cause the system to crash (denial-of-service) or leak adjacent memory contents over the network. The confidentiality of memory adjacent to the buffer may be compromised. There is no indication of code execution or privilege escalation. The CVSS score is 6.1 (medium severity), reflecting local attack vector with low complexity and no user interaction required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should restrict access to the sendto syscall for socketcan frames to trusted users only. Monitoring for abnormal socketcan frame lengths may help detect exploitation attempts. Avoid running production builds with assertions disabled if possible, or apply any vendor-provided mitigations once available.
CVE-2026-5071: Out-of-bounds Read in zephyrproject-rtos Zephyr
Description
The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a userspace application that controls the length passed to a sendto syscall can supply an incomplete or truncated frame, causing socketcan_to_can_frame() to dereference fields beyond the end of the buffer. This results in an out-of-bounds read that can cause denial-of-service crashes or, because the parsed frame contents are transmitted on the network, leak adjacent memory.
CVSS v3.1
Score 6.1medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability exists in Zephyr's SocketCAN code where the length of a socketcan_frame buffer is checked only by a NET_ASSERT in zcan_sendto_ctx(). In production builds, assertions are disabled, so an attacker controlling the length parameter to the sendto syscall can provide a truncated frame. This causes socketcan_to_can_frame() to dereference memory beyond the buffer end, resulting in an out-of-bounds read. The impact includes potential denial-of-service due to crashes and leakage of adjacent memory through network transmission of the malformed frame.
Potential Impact
An attacker with limited privileges (local user with permission to send socketcan frames) can cause the system to crash (denial-of-service) or leak adjacent memory contents over the network. The confidentiality of memory adjacent to the buffer may be compromised. There is no indication of code execution or privilege escalation. The CVSS score is 6.1 (medium severity), reflecting local attack vector with low complexity and no user interaction required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should restrict access to the sendto syscall for socketcan frames to trusted users only. Monitoring for abnormal socketcan frame lengths may help detect exploitation attempts. Avoid running production builds with assertions disabled if possible, or apply any vendor-provided mitigations once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-03-27T23:41:28.910Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1a99e5e29bf47b50fb7f2a
Added to database: 5/30/2026, 8:03:49 AM
Last enriched: 5/30/2026, 8:18:26 AM
Last updated: 5/31/2026, 4:26:43 AM
Views: 17
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.