Out-of-Bounds Read Vulnerability in SocketCAN Implementation by Zephyr Project
CVE-2026-5071

6.1MEDIUM

Key Information:

Vendor: Zephyrproject-rtos
Status: Zephyr
Vendor: CVE Published:; 30 May 2026

🔔 Create Zephyrproject-rtos Vulnerability Alert

What is CVE-2026-5071?

The SocketCAN implementation in the Zephyr Project is susceptible to an out-of-bounds read due to improper validation of user-provided buffer lengths. In the zcan_sendto_ctx() function, the length of the socketcan_frame object is validated using a NET_ASSERT statement, which is ineffective in production builds where assertions are disabled. This allows a userspace application to control the length parameter passed to a sendto syscall, potentially submitting a truncated frame. As a result, when the socketcan_to_can_frame() function dereferences this incomplete frame, it may access memory beyond the buffer's end. This could lead to denial-of-service crashes or leak sensitive adjacent memory contents transmitted over the network.

Affected Version(s)

Zephyr * <= 4.3

References

https://github.com/zephyrproject-rtos/zephyr/security/adv...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 30, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-5071 Data

JSON