Skip to main content

OVMS3 CVE-2026-42469

| EUVDEUVD-2026-26697 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-05-01 mitre
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 01, 2026 - 19:45 vuln.today
CVSS changed
May 01, 2026 - 18:22 NVD
8.6 (None) 8.6 (HIGH)
EUVD ID Assigned
May 01, 2026 - 17:00 euvd
EUVD-2026-26697
Analysis Generated
May 01, 2026 - 17:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
HIGH 8.6

DescriptionCVE.org

Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_canswitch.cpp the parser does not properly validate a CANswitch DLC value, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted CANswitch frames.

AnalysisAI

Remote code execution in Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005 allows unauthenticated network attackers to execute arbitrary code or crash the system by sending malformed CANswitch frames with invalid DLC (Data Length Code) values. The buffer overflow occurs in the canformat_canswitch.cpp parser module which fails to validate frame length parameters before processing, enabling memory corruption. A proof-of-concept exploit is publicly available on GitHub, and SSVC assessment indicates the vulnerability is automatable with partial technical impact, though no active exploitation has been confirmed by CISA KEV at time of analysis.

Technical ContextAI

OVMS3 is an open-source telematics platform for vehicle monitoring and control, commonly used in electric vehicle (EV) fleet management and aftermarket CAN bus integration systems. The vulnerability resides in the CANswitch frame parser (canformat_canswitch.cpp), which processes Controller Area Network (CAN) protocol messages. CAN DLC (Data Length Code) is a 4-bit field specifying payload size (0-8 bytes in standard CAN, up to 64 in CAN-FD). The parser fails to validate this field before allocating buffer space or copying data, triggering CWE-121 (Stack-based Buffer Overflow). The CPE string is incomplete (cpe:2.3:a:n/a:n/a), indicating limited vendor cooperation or discovery context, with EUVD also listing version as n/a, complicating precise product identification. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the parser is network-accessible without authentication, likely listening on a TCP/UDP port for CAN-over-IP messages or exposed through a web interface accepting CANswitch commands.

RemediationAI

Upgrade to OVMS3 version newer than 3.3.005 if available - check the official GitHub repository (https://github.com/openvehicles/Open-Vehicle-Monitoring-System-3) for patched releases, as no vendor advisory with explicit fix version is referenced in available intelligence. Review commit history post-March 2025 for buffer overflow fixes in canformat_canswitch.cpp. If upgrade is not immediately feasible, implement network-level access controls to restrict CANswitch frame processing endpoints to trusted IP ranges only, blocking public internet exposure. For embedded deployments (OVMS hardware modules), disable the CANswitch feature entirely if not operationally required via configuration menu or by removing the canformat_canswitch plugin from the firmware build. Note that disabling CANswitch eliminates functionality for remote CAN frame injection/switching, which may break remote diagnostics or fleet command-and-control features. Deploy intrusion detection signatures to flag CANswitch frames with DLC values exceeding 8 (standard CAN) or 64 (CAN-FD), though this may generate false positives in CAN-FD environments. Consult the VulDB advisory (https://vuldb.com/vuln/360769) and researcher's GitHub Gist (https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381) for additional technical mitigations, but verify all recommendations against your deployment architecture before implementation.

Share

CVE-2026-42469 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy