CVE-2025-39985

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel's mcba usb CAN driver related to handling PF PACKET sockets and CAN XL frames. Specifically, the driver lacks proper MTU validation through the ndo change mtu() function. This allows an attacker to configure an invalid MTU, potentially injecting malicious CAN XL frames via a PF PACKET socket using the ETH P CANXL protocol. The vulnerability can lead to a buffer overflow in the mcba usb start xmit() function when processing the frame's length (cf->len) without sufficient checks, specifically when copying data using memcpy. The usb msg.dlc variable is assigned the value of cf->len without validation, and then used in a memcpy operation, leading to a potential overflow of up to 247 bytes if the cf->len value is larger than the expected maximum length of 8. The vulnerable function is mcba usb start xmit(). The API endpoint used is a PF PACKET socket with the protocol ETH P CANXL. The vulnerable parameter is cf->len.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.