CVE-2023-54039
Description
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access
In the j1939_tp_tx_dat_new() function, an out-of-bounds memory access could occur during the memcpy() operation if the size of skb->cb is larger than the size of struct j1939_sk_buff_cb. This is because the memcpy() operation uses the size of skb->cb, leading to a read beyond the struct j1939_sk_buff_cb.
Updated the memcpy() operation to use the size of struct j1939_sk_buff_cb instead of the size of skb->cb. This ensures that the memcpy() operation only reads the memory within the bounds of struct j1939_sk_buff_cb, preventing out-of-bounds memory access.
Additionally, add a BUILD_BUG_ON() to check that the size of skb->cb is greater than or equal to the size of struct j1939_sk_buff_cb. This ensures that the skb->cb buffer is large enough to hold the j1939_sk_buff_cb structure.
[mkl: rephrase commit message]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's CAN J1939 protocol, an out-of-bounds memory access in j1939_tp_tx_dat_new() could allow memory corruption.
Vulnerability
In the Linux kernel's CAN J1939 protocol implementation, the function j1939_tp_tx_dat_new() contains an out-of-bounds memory access vulnerability. The issue occurs during a memcpy() operation that uses the size of skb->cb (the control buffer of a socket buffer) instead of the intended size of struct j1939_sk_buff_cb. This mismatch can lead to reading beyond the bounds of the smaller structure, potentially causing memory corruption or information disclosure [1].
Exploitation
To exploit this vulnerability, an attacker would need to have the ability to send crafted CAN J1939 CAN frames, which typically requires local access to the system or the ability to interact with the CAN bus. The bug is triggered during the transmission of data packets, specifically when the kernel allocates and initializes a new transport protocol data unit. No special privileges beyond the ability to use J1939 sockets are required, but the attacker must be able to craft CAN frames that trigger the vulnerable code path [1].
Impact
Successful exploitation could lead to memory corruption, potentially allowing an attacker to crash the system (denial of service) or, in more likely than arbitrary code execution. The out-of-bounds read may also expose sensitive kernel memory. The vulnerability is considered moderate severity due to the local access requirement and the specific conditions needed to trigger it [1].
Mitigation
The fix has been applied to the Linux kernel stable tree. The patch updates the memcpy() to use the correct size (sizeof(struct j1939_sk_buff_cb)) and adds a BUILD_BUG_ON() compile-time check to ensure the control buffer is large enough. Users should update their kernel to a version containing this commit or apply the backported patch [1][2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
6d2136f05690c70caa596d1584fe1d9b6231a4c3fb22a6ec636befc9aed62b45193cb4df5Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/36befc9aed6202b4a9b906529aea13eacd7e34ffnvd
- git.kernel.org/stable/c/4c3fb22a6ec68258ee129a2e6b720f43dffc562fnvd
- git.kernel.org/stable/c/4fe1d9b6231a68ffc91318f57fd8e4982f028cf7nvd
- git.kernel.org/stable/c/70caa596d158a5d84b117f722d58f3ea503a5ba9nvd
- git.kernel.org/stable/c/b45193cb4df556fe6251b285a5ce44046dd36b4anvd
- git.kernel.org/stable/c/d2136f05690c272dfc9f9d6efcc51d5f53494b33nvd
News mentions
0No linked articles in our index yet.