CVE-2025-39987

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel's CAN (Controller Area Network) subsystem, specifically within the hi311x driver. Sending a PF PACKET can bypass the CAN framework's logic and directly reach the driver's transmit function. A missing check in the ndo change mtu() function allows an attacker to configure an invalid MTU (Maximum Transmission Unit). This, combined with the use of the ETH P CANXL protocol and a crafted CAN XL frame, can lead to a buffer overflow in the hi3110 hw tx() function when copying data using memcpy. The memcpy operation uses the frame length (frame->len) without proper validation, potentially causing a 247-byte overflow when the flags field of the CAN XL frame is set to 0xff. The vulnerable code is located in the hi3110 hw tx() function. The issue arises because the driver does not validate the skb length and the CAN XL frame length, allowing a malicious packet to pass through checks and trigger the buffer overflow.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.