Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
collin80/Open-SAE-J1939 thru commit 744024d4306bc387857dfce439558336806acb06 (2023-03-08) contains an integer underflow leading to out-of-bounds write in Transport Protocol Data Transfer handling. At line 23: uint8_t index = data[0] - 1. When data[0] (sequence number from CAN frame) is 0, index underflows to 255. Subsequent write at tp_dt->data[255*7 + i-1] reaches offset 1791, exceeding the MAX_TP_DT buffer (1785 bytes) by 6 bytes.
AnalysisAI
Integer underflow in Open-SAE-J1939 Transport Protocol handler allows adjacent network attackers to corrupt memory via crafted CAN frames. Attackers sending J1939 Transport Protocol Data Transfer frames with sequence number 0 trigger underflow to 255, writing 6 bytes beyond a 1785-byte buffer boundary. No authentication required and exploitable over CAN/automotive networks. EPSS data unavailable; no KEV listing or public POC identified at time of analysis, but technical details publicly disclosed in GitHub gist enable proof-of-concept development.
Technical ContextAI
Open-SAE-J1939 is a C/C++ library implementing SAE J1939 protocol for Controller Area Network (CAN) communication in heavy-duty vehicles and industrial equipment. The vulnerability exists in Transport Protocol Data Transfer (TP.DT) message handling, specifically the multi-packet reassembly logic. SAE J1939 uses TP.DT frames to transmit payloads exceeding 8 bytes across multiple CAN messages, with each frame containing a sequence number. The code performs unsafe arithmetic: uint8_t index = data[0] - 1 where data[0] is the attacker-controlled sequence number field. When data[0]=0, unsigned integer underflow produces index=255 (0xFF). The subsequent buffer write at offset tp_dt->data[255*7 + i-1] calculates to byte position 1791, exceeding the MAX_TP_DT buffer allocation of 1785 bytes. This is a classic integer underflow (inverse of overflow) leading to out-of-bounds write, enabling memory corruption in constrained embedded systems that typically lack ASLR or stack canaries.
RemediationAI
Apply bounds checking to Transport Protocol sequence number handling by validating data[0] is within range 1-255 before arithmetic operations. Recommended code fix: if (data[0] == 0 || data[0] > MAX_EXPECTED_SEQUENCE) { reject frame; } before index calculation. No vendor-released patch version identified at time of analysis - developers integrating this library must apply manual code changes. Examine commit history after 744024d4306bc387857dfce439558336806acb06 (2023-03-08) in both collin80 and DanielMartensson repositories for potential fixes, though no tagged release addresses CVE-2026-37537 explicitly per available references. Compensating controls for unpatched systems: implement CAN frame filtering at gateway level to drop TP.DT frames with sequence number 0x00; deploy CAN intrusion detection systems monitoring for malformed J1939 multi-packet sequences; isolate safety-critical CAN segments from diagnostic/telemetry networks. Note: sequence number validation may impact interoperability if legitimate J1939 implementations send non-standard sequences, requiring protocol conformance testing. For long-term mitigation, transition to memory-safe J1939 stack implementations or deploy embedded runtime protections (stack canaries, bounds checking) where performance constraints allow.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26690