CVE-2025-39988

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel's CAN subsystem, specifically within the etas es58x driver. Sending a PF PACKET can bypass the CAN framework's logic and directly reach the driver's xmit() function. If the driver does not populate its net device ops->ndo change mtu(), an attacker can configure an invalid MTU. This allows the injection of malicious CAN XL frames via a PF PACKET socket using the ETH P CANXL protocol. The vulnerability occurs because the driver incorrectly handles the CAN XL frame, misinterpreting it as a CAN(FD) frame, leading to a buffer overflow when copying data. Specifically, the memcpy function in es581 4 tx can msg() copies data based on the flags field of the CAN XL frame, potentially overflowing a buffer by up to 247 bytes. The issue is triggered when the skb->protocol is set to ETH P CANXL and the length is a valid CAN XL length.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.