Skip to main content

Open-SAE-J1939 CVE-2026-37537

| EUVDEUVD-2026-26690 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-05-01 mitre
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 17:30 vuln.today
EUVD ID Assigned
May 01, 2026 - 17:00 euvd
EUVD-2026-26690
Analysis Generated
May 01, 2026 - 17:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
HIGH 8.1

DescriptionCVE.org

collin80/Open-SAE-J1939 thru commit 744024d4306bc387857dfce439558336806acb06 (2023-03-08) contains an integer underflow leading to out-of-bounds write in Transport Protocol Data Transfer handling. At line 23: uint8_t index = data[0] - 1. When data[0] (sequence number from CAN frame) is 0, index underflows to 255. Subsequent write at tp_dt->data[255*7 + i-1] reaches offset 1791, exceeding the MAX_TP_DT buffer (1785 bytes) by 6 bytes.

AnalysisAI

Integer underflow in Open-SAE-J1939 Transport Protocol handler allows adjacent network attackers to corrupt memory via crafted CAN frames. Attackers sending J1939 Transport Protocol Data Transfer frames with sequence number 0 trigger underflow to 255, writing 6 bytes beyond a 1785-byte buffer boundary. No authentication required and exploitable over CAN/automotive networks. EPSS data unavailable; no KEV listing or public POC identified at time of analysis, but technical details publicly disclosed in GitHub gist enable proof-of-concept development.

Technical ContextAI

Open-SAE-J1939 is a C/C++ library implementing SAE J1939 protocol for Controller Area Network (CAN) communication in heavy-duty vehicles and industrial equipment. The vulnerability exists in Transport Protocol Data Transfer (TP.DT) message handling, specifically the multi-packet reassembly logic. SAE J1939 uses TP.DT frames to transmit payloads exceeding 8 bytes across multiple CAN messages, with each frame containing a sequence number. The code performs unsafe arithmetic: uint8_t index = data[0] - 1 where data[0] is the attacker-controlled sequence number field. When data[0]=0, unsigned integer underflow produces index=255 (0xFF). The subsequent buffer write at offset tp_dt->data[255*7 + i-1] calculates to byte position 1791, exceeding the MAX_TP_DT buffer allocation of 1785 bytes. This is a classic integer underflow (inverse of overflow) leading to out-of-bounds write, enabling memory corruption in constrained embedded systems that typically lack ASLR or stack canaries.

RemediationAI

Apply bounds checking to Transport Protocol sequence number handling by validating data[0] is within range 1-255 before arithmetic operations. Recommended code fix: if (data[0] == 0 || data[0] > MAX_EXPECTED_SEQUENCE) { reject frame; } before index calculation. No vendor-released patch version identified at time of analysis - developers integrating this library must apply manual code changes. Examine commit history after 744024d4306bc387857dfce439558336806acb06 (2023-03-08) in both collin80 and DanielMartensson repositories for potential fixes, though no tagged release addresses CVE-2026-37537 explicitly per available references. Compensating controls for unpatched systems: implement CAN frame filtering at gateway level to drop TP.DT frames with sequence number 0x00; deploy CAN intrusion detection systems monitoring for malformed J1939 multi-packet sequences; isolate safety-critical CAN segments from diagnostic/telemetry networks. Note: sequence number validation may impact interoperability if legitimate J1939 implementations send non-standard sequences, requiring protocol conformance testing. For long-term mitigation, transition to memory-safe J1939 stack implementations or deploy embedded runtime protections (stack canaries, bounds checking) where performance constraints allow.

Share

CVE-2026-37537 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy