CVE-2026-5071 zephyrproject-rtos CVE debrief

Who should care

Organizations deploying Zephyr RTOS in production environments with SocketCAN networking enabled, particularly in automotive, industrial control, and IoT gateway applications where CAN bus connectivity is exposed to userspace applications.

Technical summary

In Zephyr RTOS, the SocketCAN subsystem's zcan_sendto_ctx() function validates the length of a user-provided socketcan_frame buffer using only NET_ASSERT before passing the buffer to socketcan_to_can_frame(). When assertions are disabled in production builds, a userspace application can supply a buffer shorter than sizeof(struct socketcan_frame), causing socketcan_to_can_frame() to read beyond the buffer boundary. The out-of-bounds data is parsed as CAN frame fields and transmitted on the physical CAN network, enabling both crash-inducing reads and information disclosure. The CVSS 3.1 score of 6.1 (Medium) reflects local attack vector, low privileges, and high availability impact with low confidentiality impact.

Defensive priority

medium

Recommended defensive actions

• Apply patches from the Zephyr Project security advisory when available
• Rebuild production firmware with assertions enabled only for development/debug builds if feasible, or implement explicit runtime bounds checks independent of assert macros
• Audit other SocketCAN and networking code paths for similar assert-dependent validation patterns
• Monitor CAN bus traffic for anomalous frame contents that may indicate memory leakage
• Restrict local access to SocketCAN interfaces to trusted applications only

Evidence notes

The vulnerability was disclosed via the Zephyr Project security advisory GHSA-c3w6-x7m3-3c58 and published in the NVD on 2026-05-30. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H) confirms local attack vector with low privileges required, yielding medium overall score. CWE-125 (Out-of-bounds Read) is the identified weakness.

Official resources