Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
AGL agl-service-can-low-level thru 17.1.12 contains a stack buffer overflow in the uds-c library. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) via memcpy at an offset of 1+pid_length (2-3 bytes), resulting in 1-4 bytes of controlled stack overflow. The payload_length field (uint8_t) has no bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries, this can lead to return address overwrite and RCE.
AnalysisAI
Stack buffer overflow in AGL agl-service-can-low-level through version 17.1.12 enables remote code execution on automotive ECUs. The vulnerability exists in the uds-c library's send_diagnostic_request function, where a miscalculation between buffer size (6 bytes) and copy length (7 bytes) allows 1-4 bytes of controlled stack overflow. On 32-bit ARM automotive systems without stack protection, attackers can overwrite return addresses to achieve arbitrary code execution. CVSS 7.5 High severity with network attack vector and no authentication required, though CVSS impact ratings (C:N/I:N/A:H) appear inconsistent with the RCE capability described. No public exploit identified at time of analysis, EPSS data unavailable.
Technical ContextAI
This vulnerability affects the Unified Diagnostic Services (UDS) implementation in Automotive Grade Linux's CAN bus low-level service. UDS is an ISO 14229 protocol used for diagnostic communication with automotive Electronic Control Units (ECUs) over Controller Area Network (CAN) interfaces. The flaw is a classic stack-based buffer overflow (CWE-121) in the uds.c module. The send_diagnostic_request function allocates a fixed 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE) but performs a memcpy operation that can write up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH) at an offset determined by 1+pid_length (2-3 bytes). The uint8_t payload_length field lacks validation against the destination buffer size, enabling an integer overflow condition where the copy operation exceeds buffer boundaries by 1-4 bytes. On embedded automotive platforms using 32-bit ARM processors without compiler-level stack canaries (common in real-time automotive systems prioritizing performance), this overflow can deterministically overwrite stack-saved return addresses, enabling control-flow hijacking and arbitrary code execution.
RemediationAI
Primary mitigation is upgrading to agl-service-can-low-level version 17.1.13 or later if available, though patch availability is not confirmed from vendor advisory at time of analysis - verify current release status at https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level. If patched version is unavailable, implement compensating controls: (1) Compile with stack canary protection (-fstack-protector-strong) to detect overflow at runtime, accepting ~2-5% performance overhead in diagnostic operations. (2) Enable Address Space Layout Randomization (ASLR) if not already active to increase exploitation difficulty, though effectiveness is limited on embedded systems with restricted address spaces. (3) Restrict network access to UDS diagnostic interfaces using firewall rules, allowing only authenticated connections from trusted diagnostic tools - blocks remote exploitation vector but impairs remote diagnostics capability. (4) Deploy on 64-bit ARM platforms where memory layout differences may prevent reliable exploitation, though this requires hardware change. (5) Implement input validation wrapper limiting payload_length to MAX_DIAGNOSTIC_PAYLOAD_SIZE-offset before memcpy operations via code-level patch if source modification is feasible. Contact AGL security team for official patch timeline and temporary mitigation guidance specific to your automotive platform deployment.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26683