CVE-2025-39986

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the sun4i can driver within the Linux kernel where a missing check in the ndo change mtu() function allows an attacker to configure an invalid MTU. This can be exploited by sending PF PACKET frames using the ETH P CANXL protocol, potentially leading to a buffer overflow. Specifically, the driver fails to validate the skb length against the interface's MTU, allowing a malicious CAN XL frame with a large length value to bypass checks. The sun4ican start xmit() function then receives this frame and attempts to process it as a standard CAN frame, resulting in a buffer overflow when copying the frame data. The vulnerable code section involves the use of cf->len without proper bounds checking, leading to a potential overflow of 247 bytes when writing data to memory. The issue arises because the driver does not populate its net device ops->ndo change mtu(), enabling the manipulation of the MTU value.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.