CVE-2022-2741 HIGH

CVE-2022-2741: can: denial-of-service can be triggered by a crafted CAN frame

Vendor Zephyrproject-Rtos
Product zephyr
Weakness CWE-400
Published October 31, 2022
Last update May 5, 2025

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

The denial-of-service can be triggered by transmitting a carefully crafted CAN frame on the same CAN network as the vulnerable node. The frame must have a CAN ID matching an installed filter in the vulnerable node (this can easily be guessed based on CAN traffic analyses). The frame must contain the opposite RTR bit as what the filter installed in the vulnerable node contains (if the filter matches RTR frames, the frame must be a data frame or vice versa).

Key dates

02Disclosure timeline

October 31, 2022 CVE published
May 5, 2025 Record updated