CVE-2026-31570

In the Linux kernel, the following vulnerability has been resolved:

can: gw: fix OOB heap access in cgwcsumcrc8_rel()

cgwcsumcrc8rel() correctly computes bounds-safe indices via calcidx():

int from = calc_idx(crc8->from_idx, cf->len);
int to   = calc_idx(crc8->to_idx,   cf->len);
int res  = calc_idx(crc8->result_idx, cf->len);

if (from < 0 || to < 0 || res < 0)
    return;

However, the loop and the result write then use the raw s8 fields directly instead of the computed variables:

for (i = crc8->from_idx; ...)        /* BUG: raw negative index */
cf->data[crc8->result_idx] = ...;    /* BUG: raw negative index */

With fromidx = toidx = resultidx = -64 on a 64-byte CAN FD frame, calcidx(-64, 64) = 0 so the guard passes, but the loop iterates with i = -64, reading cf->data[-64], and the write goes to cf->data[-64]. This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the start of the canfd_frame on the heap.

The companion function cgwcsumxorrel() uses from/to/res correctly throughout; fix cgwcsumcrc8rel() to match.

Confirmed with KASAN on linux-7.0-rc2: BUG: KASAN: slab-out-of-bounds in cgwcsumcrc8rel+0x515/0x5b0 Read of size 1 at addr ffff8880076619c8 by task poccgw_oob/62

To configure the can-gw crc8 checksums CAPNETADMIN is needed.