CVE-2025-40020

Vulnerability

In the Linux kernel's peak_usb CAN driver, a shift-out-of-bounds vulnerability exists when the driver performs a bit shift operation using a 32-bit constant. When the number of bits to shift is 32 (as is the case for PC CAN FD interfaces supported by this driver), the shift exceeds the width of the type, leading to undefined behavior [1].

Exploitation

This bug is triggered during normal operation of the driver when handling CAN FD interfaces are used. No special privileges or authentication are required beyond the ability to interact with the CAN subsystem, which may be accessible to local users or through certain system configurations. The shift operation occurs in the driver's internal logic, and an attacker with local access could potentially exploit this to cause a system crash or other unpredictable behavior.

Impact

An attacker exploiting this vulnerability could cause a denial of service (system crash) or potentially escalate privileges if the undefined behavior leads to memory corruption. The impact is limited to systems using the affected peak_usb driver with PC CAN FD interfaces.

Mitigation

The fix explicitly uses a 64-bit constant for the shift operation, ensuring the shift amount is always within bounds [1]. The patch has been applied to the Linux kernel stable tree. Users should update to a kernel version containing this fix.