What is the CVSS score of CVE-2026-37537?

CVE-2026-37537 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Open-SAE-J1939 are affected by CVE-2026-37537?

CVE-2026-37537 affects Open-SAE-J1939 Transport Protocol handlers with an integer underflow vulnerability that enables memory corruption via crafted CAN frames, posing a direct risk to automotive and…

How to fix or mitigate CVE-2026-37537?

Within 24 hours: Inventory all systems running Open-SAE-J1939 protocol handlers; identify network segments with direct CAN access. Within 7 days: Isolate or air-gap affected systems if operationally feasible; restrict CAN network access to trusted endpoints only; implement network segmentation between safety-critical and general-purpose CAN buses. Within 30 days: Contact vendor for patch timeline and interim firmware updates; evaluate alternative J1939 implementations with integer underflow protections; develop and test compensating controls across all identified systems; establish incident response procedures for memory corruption detection.

Open-SAE-J1939 CVE-2026-37537

EUVD-2026-26690 HIGH

Integer Overflow or Wraparound (CWE-190)

2026-05-01 mitre

Buffer Overflow Integer Overflow

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 01, 2026 - 17:30 vuln.today

EUVD ID Assigned

May 01, 2026 - 17:00 euvd

EUVD-2026-26690

Analysis Generated

May 01, 2026 - 17:00 vuln.today

CVE Published

May 01, 2026 - 00:00 nvd

HIGH 8.1

DescriptionNVD

collin80/Open-SAE-J1939 thru commit 744024d4306bc387857dfce439558336806acb06 (2023-03-08) contains an integer underflow leading to out-of-bounds write in Transport Protocol Data Transfer handling. At line 23: uint8_t index = data[0] - 1. When data[0] (sequence number from CAN frame) is 0, index underflows to 255. Subsequent write at tp_dt->data[255*7 + i-1] reaches offset 1791, exceeding the MAX_TP_DT buffer (1785 bytes) by 6 bytes.

AnalysisAI

Integer underflow in Open-SAE-J1939 Transport Protocol handler allows adjacent network attackers to corrupt memory via crafted CAN frames. Attackers sending J1939 Transport Protocol Data Transfer frames with sequence number 0 trigger underflow to 255, writing 6 bytes beyond a 1785-byte buffer boundary. …

RemediationAI

Within 24 hours: Inventory all systems running Open-SAE-J1939 protocol handlers; identify network segments with direct CAN access. Within 7 days: Isolate or air-gap affected systems if operationally feasible; restrict CAN network access to trusted endpoints only; implement network segmentation between safety-critical and general-purpose CAN buses. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-37537 vulnerability details – vuln.today

Back

Open-SAE-J1939 CVE-2026-37537

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code