Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Lifecycle Timeline
5DescriptionCVE.org
Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_canswitch.cpp the parser does not properly validate a CANswitch DLC value, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted CANswitch frames.
AnalysisAI
Remote code execution in Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005 allows unauthenticated network attackers to execute arbitrary code or crash the system by sending malformed CANswitch frames with invalid DLC (Data Length Code) values. The buffer overflow occurs in the canformat_canswitch.cpp parser module which fails to validate frame length parameters before processing, enabling memory corruption. A proof-of-concept exploit is publicly available on GitHub, and SSVC assessment indicates the vulnerability is automatable with partial technical impact, though no active exploitation has been confirmed by CISA KEV at time of analysis.
Technical ContextAI
OVMS3 is an open-source telematics platform for vehicle monitoring and control, commonly used in electric vehicle (EV) fleet management and aftermarket CAN bus integration systems. The vulnerability resides in the CANswitch frame parser (canformat_canswitch.cpp), which processes Controller Area Network (CAN) protocol messages. CAN DLC (Data Length Code) is a 4-bit field specifying payload size (0-8 bytes in standard CAN, up to 64 in CAN-FD). The parser fails to validate this field before allocating buffer space or copying data, triggering CWE-121 (Stack-based Buffer Overflow). The CPE string is incomplete (cpe:2.3:a:n/a:n/a), indicating limited vendor cooperation or discovery context, with EUVD also listing version as n/a, complicating precise product identification. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the parser is network-accessible without authentication, likely listening on a TCP/UDP port for CAN-over-IP messages or exposed through a web interface accepting CANswitch commands.
RemediationAI
Upgrade to OVMS3 version newer than 3.3.005 if available - check the official GitHub repository (https://github.com/openvehicles/Open-Vehicle-Monitoring-System-3) for patched releases, as no vendor advisory with explicit fix version is referenced in available intelligence. Review commit history post-March 2025 for buffer overflow fixes in canformat_canswitch.cpp. If upgrade is not immediately feasible, implement network-level access controls to restrict CANswitch frame processing endpoints to trusted IP ranges only, blocking public internet exposure. For embedded deployments (OVMS hardware modules), disable the CANswitch feature entirely if not operationally required via configuration menu or by removing the canformat_canswitch plugin from the firmware build. Note that disabling CANswitch eliminates functionality for remote CAN frame injection/switching, which may break remote diagnostics or fleet command-and-control features. Deploy intrusion detection signatures to flag CANswitch frames with DLC values exceeding 8 (standard CAN) or 64 (CAN-FD), though this may generate false positives in CAN-FD environments. Consult the VulDB advisory (https://vuldb.com/vuln/360769) and researcher's GitHub Gist (https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381) for additional technical mitigations, but verify all recommendations against your deployment architecture before implementation.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26697