Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Buffer overflow vulnerability in cannelloni v2.0.0 in CAN frame parsing in parser.cpp in function parseCANFrame, and decoder.cpp in function decodeFrame allowing remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted CAN FD frames.
AnalysisAI
Remote code execution in cannelloni v2.0.0 allows unauthenticated network attackers to crash the service or execute arbitrary code by sending malformed CAN FD frames that trigger buffer overflows in two separate parsing functions (parseCANFrame in parser.cpp and decodeFrame in decoder.cpp). The CVSS score of 9.8 reflects network-accessible exploitation requiring no authentication or user interaction, with complete system compromise possible. Public proof-of-concept code exists (GitHub Gist reference), elevating immediate exploitation risk despite no CISA KEV listing, suggesting targeted rather than mass exploitation scenarios.
Technical ContextAI
Cannelloni is a SocketCAN-over-UDP tunneling application used in automotive and industrial control systems to transport Controller Area Network (CAN) traffic over IP networks. The vulnerability affects the CAN Flexible Data-Rate (CAN FD) frame processing logic in two critical parsing functions. Buffer overflow vulnerabilities occur when input validation fails to properly bound-check frame data before copying it into fixed-size memory buffers. CAN FD frames can carry up to 64 bytes of data (versus 8 bytes in classic CAN), and the parsing code in parser.cpp::parseCANFrame and decoder.cpp::decodeFrame appears to lack proper length validation when processing these extended payloads. This allows attackers to write beyond allocated buffer boundaries, potentially overwriting adjacent memory including return addresses, function pointers, or security-critical data structures. The network-accessible attack surface (AV:N) combined with no authentication requirements (PR:N) means any network peer sending UDP traffic to the cannelloni service can trigger the vulnerability.
RemediationAI
No vendor-released patch or fixed version has been identified in the provided references at time of analysis. The GitHub repository (https://github.com/mguentner/cannelloni) should be monitored for security updates, commits addressing CVE-2026-37539, or maintainer advisories. Until an official patch is available, implement network-level access controls to restrict cannelloni UDP endpoints to trusted source IP addresses only, blocking public internet exposure entirely. Deploy cannelloni instances behind application-layer firewalls configured to validate CAN FD frame structures and enforce maximum data length limits (64 bytes for CAN FD) before forwarding to the vulnerable service. Consider replacing cannelloni with alternative CAN-over-IP solutions that have undergone recent security audits, particularly for production automotive or safety-critical industrial deployments. If continued use is required, run cannelloni in isolated network segments with strict egress filtering to prevent lateral movement if code execution is achieved, and deploy runtime exploit mitigation technologies (ASLR, DEP/NX, stack canaries) on host systems, though these provide defense-in-depth rather than vulnerability elimination. For development/testing environments, disable CAN FD support entirely if classic CAN (8-byte frames) suffices, reducing attack surface. The proof-of-concept reference (https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381) may provide insights into exploitation mechanisms but should only be accessed in controlled research environments.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26692