Skip to main content

Open-SAE-J1939 CVE-2026-37534

| EUVDEUVD-2026-26687 CRITICAL
Integer Underflow (CWE-191)
2026-05-01 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 01, 2026 - 20:22 vuln.today
CVSS changed
May 01, 2026 - 20:22 NVD
9.8 (None) 9.8 (CRITICAL)
EUVD ID Assigned
May 01, 2026 - 17:00 euvd
EUVD-2026-26687
Analysis Generated
May 01, 2026 - 17:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

Integer underflow vulnerability in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (2025-11-30) in SAE_J1939_Read_Transport_Protocol_Data_Transfer,allows attackers to write to arbitrary memory via crafted sequence number from the CAN frame.

AnalysisAI

Integer underflow in Open-SAE-J1939 library's transport protocol handler enables remote unauthenticated attackers to corrupt arbitrary memory locations via manipulated CAN frame sequence numbers. CVSS 9.8 reflects network-accessible attack surface with no authentication barriers, though exploitation requires deployment in CAN-connected environments (industrial control systems, automotive networks). EPSS data unavailable; SSVC indicates total technical impact with automated exploitation potential but no confirmed active exploitation.

Technical ContextAI

Open-SAE-J1939 is an open-source implementation of the SAE J1939 protocol for Controller Area Network (CAN) communication, widely used in heavy-duty vehicles and industrial automation. The vulnerability resides in SAE_J1939_Read_Transport_Protocol_Data_Transfer function, which handles multi-packet message reassembly per J1939 transport protocol specifications. CWE-191 (integer underflow) occurs when processing the sequence number field from incoming CAN frames - insufficient bounds checking allows negative arithmetic results, causing buffer indexing to wrap around to high memory addresses. This affects all versions through commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (November 30, 2025). The network attack vector (AV:N) reflects CAN bus accessibility, which may be remote in telematics-enabled systems or require local CAN segment access depending on deployment architecture.

RemediationAI

Update to Open-SAE-J1939 commit later than b6caf884df46435e539b1ecbf92b6c29b345bdfe by pulling latest changes from https://github.com/DanielMartensson/Open-SAE-J1939 master branch. No specific patched version tag is confirmed in available data - integrators must verify commit history post-November 2025 for bounds-checking fixes in SAE_J1939_Read_Transport_Protocol_Data_Transfer function. If immediate patching is infeasible, implement defense-in-depth: restrict CAN bus access to authenticated devices only (physically secure OBD-II ports, disable remote diagnostic services), deploy CAN gateway firewalls to filter malformed J1939 transport protocol frames with invalid sequence numbers (sequence counter validation before processing), enable memory protection mechanisms (DEP/NX, ASLR) on host systems where supported to limit arbitrary write exploitation. Note that sequence number filtering may cause legitimate multi-packet messages to fail if validation logic is overly restrictive - test thoroughly in non-production environments. For safety-critical systems, consider migrating to formally verified CAN stack implementations.

Share

CVE-2026-37534 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy