Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_pcap.cpp , the parser's phdr.len field is not properly validated, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted PCAP input.
AnalysisAI
Buffer overflow in Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005 enables remote code execution when processing malicious PCAP files. The canformat_pcap.cpp parser fails to validate the phdr.len field, allowing attackers to overflow stack buffers and execute arbitrary code with high confidentiality, integrity, and availability impact. Public proof-of-concept code exists (GitHub Gist), though no active exploitation is confirmed by CISA KEV. SSVC assessment indicates automatable exploitation despite requiring user interaction to open crafted PCAP files.
Technical ContextAI
OVMS3 is an open-source vehicle monitoring and control system used in electric vehicles for data logging, diagnostics, and remote monitoring. The vulnerability resides in canformat_pcap.cpp, which parses PCAP (Packet Capture) files containing CAN bus network traffic. The affected parser reads the phdr.len (packet header length) field from untrusted PCAP input without bounds validation before using it in buffer operations, creating a classic stack-based buffer overflow (CWE-121). PCAP is a standard file format for network packet capture, commonly used in vehicle diagnostics to record Controller Area Network (CAN) bus communications. When OVMS3 processes a maliciously crafted PCAP file with an oversized phdr.len value, the parser writes beyond allocated stack buffer boundaries, enabling control-flow hijacking and arbitrary code execution in the context of the OVMS3 application.
RemediationAI
No vendor-released patch version is identified in available data - the CVE description confirms vulnerability in version 3.3.005 but neither NVD CPE data nor EUVD references specify a fixed version. Monitor the Open Vehicle Monitoring System GitHub repository (openvehicles/Open-Vehicle-Monitoring-System-3) and official project announcements for security updates addressing CVE-2026-42468. Until a patch is released, implement defense-in-depth controls: disable or restrict PCAP file import functionality in production OVMS3 deployments if not operationally required (trade-off: loss of diagnostic file analysis capability); accept PCAP files only from trusted, authenticated sources via secure channels; run OVMS3 with least-privilege user accounts to limit code execution impact (reduces lateral movement potential but does not prevent initial compromise); deploy application sandboxing or containerization to isolate OVMS3 processes from critical vehicle control systems (adds operational complexity). Reference the POC at https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 to validate patch effectiveness when available, and consult VulDB advisory https://vuldb.com/vuln/360768 for community-reported mitigations.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26696