What is the CVSS score of CVE-2026-37554?

CVE-2026-37554 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Vanetza V2X are affected by CVE-2026-37554?

CVE-2026-37554 affects Vanetza V2X v26.02 receivers with a remote denial-of-service vulnerability that crashes the application via malformed GeoNetworking packets, disrupting…

Is there a public PoC exploit available for CVE-2026-37554?

Yes, a public proof-of-concept exploit is available for CVE-2026-37554. Prioritise patching immediately. EPSS: 0.0%.

Vanetza V2X CVE-2026-37554

EUVD-2026-26671 HIGH

Uncaught Exception (CWE-248)

2026-05-01 cve@mitre.org

Denial Of Service OpenSSL

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

May 01, 2026 - 16:31 vuln.today

EUVD ID Assigned

May 01, 2026 - 16:22 euvd

EUVD-2026-26671

Analysis Generated

May 01, 2026 - 16:22 vuln.today

CVE Published

May 01, 2026 - 16:16 nvd

HIGH 7.5

DescriptionNVD

An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on curve) are not properly caught by the Router::indicate() call chain. The openssl_wrapper.cpp check() function (line 19) throws openssl::Exception when OpenSSL operations fail. The parser's catch block in parse_secured() should catch these, but the exception escapes through subsequent processing stages (indicate_common, indicate_extended). This causes std::terminate, crashing the V2X receiver.

AnalysisAI

Remote unauthenticated denial of service crashes Vanetza V2X v26.02 receivers via malformed GeoNetworking packets containing invalid ECC points. Uncaught OpenSSL exceptions from elliptic curve point validation (invalid compressed points, points not on curve) in the security layer escape through the Router::indicate() call chain, triggering std::terminate and process termination. …

RemediationAI

Within 24 hours: Inventory all Vanetza V2X v26.02 deployments and network segments with exposed receivers; implement network-level filtering to restrict GeoNetworking traffic (UDP port 5555 standard) to trusted V2X nodes only. Within 7 days: Establish monitoring for abnormal V2X receiver crashes or restarts; document current availability metrics as baseline; contact Vanetza project maintainers for patch timeline and interim guidance. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-37554 vulnerability details – vuln.today

Back

Vanetza V2X CVE-2026-37554

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code