Skip to main content

AGL agl-service-can-low-level CVE-2026-42485

| EUVDEUVD-2026-26698 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-05-01 mitre
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 01, 2026 - 19:47 vuln.today
CVSS changed
May 01, 2026 - 19:22 NVD
7.5 (HIGH)
EUVD ID Assigned
May 01, 2026 - 17:00 euvd
EUVD-2026-26698
Analysis Generated
May 01, 2026 - 17:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
HIGH 7.5

DescriptionCVE.org

AGL agl-service-can-low-level contains a stack buffer overflow in the uds-c library. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) via memcpy at an offset of 1+pid_length (2-3 bytes), resulting in 1-4 bytes of controlled stack overflow. The payload_length field (uint8_t) has no bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries, this can lead to return address overwrite and RCE.

AnalysisAI

Stack buffer overflow in AGL agl-service-can-low-level's uds-c library enables remote code execution on vulnerable automotive ECUs. The send_diagnostic_request function copies up to 7 bytes into a 6-byte stack buffer without bounds checking, allowing 1-4 bytes of controlled stack corruption. On 32-bit ARM ECUs without stack canaries (common in automotive deployments), attackers can overwrite return addresses to achieve arbitrary code execution. CVSS 7.5 with network attack vector and no authentication required indicates critical exposure, though CVSS impact vector (C:N/I:N/A:H) appears inconsistent with RCE capability described - vendor assessment may undervalue confidentiality/integrity impact of code execution.

Technical ContextAI

The vulnerability resides in the Unified Diagnostic Services (UDS) implementation within agl-service-can-low-level, a CAN bus diagnostic service component of Automotive Grade Linux. UDS is an ISO 14229 protocol for automotive diagnostics over CAN networks. The flaw is a classic CWE-121 stack-based buffer overflow: send_diagnostic_request() in uds.c defines MAX_DIAGNOSTIC_PAYLOAD_SIZE as 6 bytes but attempts to copy MAX_UDS_REQUEST_PAYLOAD_LENGTH (7 bytes) via memcpy at offset 1+pid_length (2-3 bytes total offset). With an unchecked uint8_t payload_length field, an attacker can trigger memcpy to write beyond the 6-byte boundary. The CPE string is generic (n/a:n/a), indicating affected product enumeration is incomplete. Automotive ECUs typically run on 32-bit ARM without modern exploit mitigations like stack canaries or ASLR, making return-oriented programming and direct return address overwrite trivial.

RemediationAI

Apply vendor security patch when released by Automotive Grade Linux project - monitor https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level for commits addressing CVE-2026-42485. Technical analysis at https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 may contain additional mitigation guidance. Until patched version is available, implement network-level isolation: restrict CAN bus diagnostic service access to authenticated service networks only, disable external telematics routing to UDS endpoints, and block OBD-II port network bridging in production vehicles. For ECU deployments, recompile agl-service-can-low-level with stack canaries enabled (-fstack-protector-strong) and position-independent code to provide exploit mitigation layers, though this requires build environment access and may impact real-time performance constraints. Input validation workaround: if source modification is feasible, add explicit bounds check before memcpy to ensure payload_length + 1 + pid_length does not exceed MAX_DIAGNOSTIC_PAYLOAD_SIZE (6 bytes). Network segmentation is the most practical immediate control for operational vehicle fleets.

Share

CVE-2026-42485 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy