Skip to main content

cannelloni CVE-2026-37539

| EUVDEUVD-2026-26692 CRITICAL
Stack-based Buffer Overflow (CWE-121)
2026-05-01 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 17:30 vuln.today
EUVD ID Assigned
May 01, 2026 - 17:00 euvd
EUVD-2026-26692
Analysis Generated
May 01, 2026 - 17:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

Buffer overflow vulnerability in cannelloni v2.0.0 in CAN frame parsing in parser.cpp in function parseCANFrame, and decoder.cpp in function decodeFrame allowing remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted CAN FD frames.

AnalysisAI

Remote code execution in cannelloni v2.0.0 allows unauthenticated network attackers to crash the service or execute arbitrary code by sending malformed CAN FD frames that trigger buffer overflows in two separate parsing functions (parseCANFrame in parser.cpp and decodeFrame in decoder.cpp). The CVSS score of 9.8 reflects network-accessible exploitation requiring no authentication or user interaction, with complete system compromise possible. Public proof-of-concept code exists (GitHub Gist reference), elevating immediate exploitation risk despite no CISA KEV listing, suggesting targeted rather than mass exploitation scenarios.

Technical ContextAI

Cannelloni is a SocketCAN-over-UDP tunneling application used in automotive and industrial control systems to transport Controller Area Network (CAN) traffic over IP networks. The vulnerability affects the CAN Flexible Data-Rate (CAN FD) frame processing logic in two critical parsing functions. Buffer overflow vulnerabilities occur when input validation fails to properly bound-check frame data before copying it into fixed-size memory buffers. CAN FD frames can carry up to 64 bytes of data (versus 8 bytes in classic CAN), and the parsing code in parser.cpp::parseCANFrame and decoder.cpp::decodeFrame appears to lack proper length validation when processing these extended payloads. This allows attackers to write beyond allocated buffer boundaries, potentially overwriting adjacent memory including return addresses, function pointers, or security-critical data structures. The network-accessible attack surface (AV:N) combined with no authentication requirements (PR:N) means any network peer sending UDP traffic to the cannelloni service can trigger the vulnerability.

RemediationAI

No vendor-released patch or fixed version has been identified in the provided references at time of analysis. The GitHub repository (https://github.com/mguentner/cannelloni) should be monitored for security updates, commits addressing CVE-2026-37539, or maintainer advisories. Until an official patch is available, implement network-level access controls to restrict cannelloni UDP endpoints to trusted source IP addresses only, blocking public internet exposure entirely. Deploy cannelloni instances behind application-layer firewalls configured to validate CAN FD frame structures and enforce maximum data length limits (64 bytes for CAN FD) before forwarding to the vulnerable service. Consider replacing cannelloni with alternative CAN-over-IP solutions that have undergone recent security audits, particularly for production automotive or safety-critical industrial deployments. If continued use is required, run cannelloni in isolated network segments with strict egress filtering to prevent lateral movement if code execution is achieved, and deploy runtime exploit mitigation technologies (ASLR, DEP/NX, stack canaries) on host systems, though these provide defense-in-depth rather than vulnerability elimination. For development/testing environments, disable CAN FD support entirely if classic CAN (8-byte frames) suffices, reducing attack surface. The proof-of-concept reference (https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381) may provide insights into exploitation mechanisms but should only be accessed in controlled research environments.

Share

CVE-2026-37539 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy