{
  "affected": [
    {
      "ecosystem_specific": {
        "urgency": "not yet assigned"
      },
      "package": {
        "ecosystem": "Debian:11",
        "name": "linux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.10.257-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "ecosystem_specific": {
        "urgency": "not yet assigned"
      },
      "package": {
        "ecosystem": "Debian:12",
        "name": "linux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.170-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "ecosystem_specific": {
        "urgency": "not yet assigned"
      },
      "package": {
        "ecosystem": "Debian:13",
        "name": "linux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.12.85-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "ecosystem_specific": {
        "urgency": "not yet assigned"
      },
      "package": {
        "ecosystem": "Debian:14",
        "name": "linux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.19.11-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "ecosystem_specific": {
        "urgency": "not yet assigned"
      },
      "package": {
        "ecosystem": "Debian:11",
        "name": "linux-6.1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.170-1~deb11u1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "In the Linux kernel, the following vulnerability has been resolved:  can: gw: fix OOB heap access in cgw_csum_crc8_rel()  cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():      int from = calc_idx(crc8-\u003efrom_idx, cf-\u003elen);     int to   = calc_idx(crc8-\u003eto_idx,   cf-\u003elen);     int res  = calc_idx(crc8-\u003eresult_idx, cf-\u003elen);      if (from \u003c 0 || to \u003c 0 || res \u003c 0)         return;  However, the loop and the result write then use the raw s8 fields directly instead of the computed variables:      for (i = crc8-\u003efrom_idx; ...)        /* BUG: raw negative index */     cf-\u003edata[crc8-\u003eresult_idx] = ...;    /* BUG: raw negative index */  With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame, calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with i = -64, reading cf-\u003edata[-64], and the write goes to cf-\u003edata[-64]. This write might end up to 56 (7.0-rc) or 40 (\u003c= 6.19) bytes before the start of the canfd_frame on the heap.  The companion function cgw_csum_xor_rel() uses `from`/`to`/`res` correctly throughout; fix cgw_csum_crc8_rel() to match.  Confirmed with KASAN on linux-7.0-rc2:   BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0   Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62  To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.",
  "id": "DEBIAN-CVE-2026-31570",
  "modified": "2026-05-29T17:48:13.614978313Z",
  "published": "2026-04-24T15:16:31.520Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://security-tracker.debian.org/tracker/CVE-2026-31570"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "upstream": [
    "CVE-2026-31570"
  ]
}