Skip to main content

Vanetza CVE-2026-43988

| EUVDEUVD-2026-32005 HIGH
Uncaught Exception (CWE-248)
2026-05-26 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
May 26, 2026 - 23:02 EUVD
Source Code Evidence Fetched
May 26, 2026 - 22:13 vuln.today
Analysis Generated
May 26, 2026 - 22:13 vuln.today

DescriptionGitHub Advisory

Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the ASN.1/OER parsing pipeline of Vanetza. When processing malformed network packets containing corrupted ASN.1/OER structures (e.g., invalid length fields or malformed certificate encoding), the ASN.1 wrapper (asn1c_wrapper.cpp) raises a std::runtime_error. This exception is not caught at the parsing boundary and propagates to std::terminate, resulting in process termination. This vulnerability is fixed with commit 62dfe58a8342512b6e1947d75821402ada524f1a.

AnalysisAI

Remote denial of service in Vanetza 26.02 and earlier lets unauthenticated attackers crash the C-ITS protocol stack by sending malformed network packets containing corrupted ASN.1/OER structures, such as invalid length fields or malformed certificate encodings. The ASN.1 wrapper (asn1c_wrapper.cpp) raises a std::runtime_error that is never caught at the parsing boundary, so it propagates to std::terminate and kills the process. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided.

Technical ContextAI

Vanetza is an open-source implementation of the ETSI Cooperative Intelligent Transport Systems (C-ITS) protocol suite used in vehicle-to-everything (V2X) communications, where roadside units and on-board units exchange signed ITS messages. These messages and their security certificates are encoded with ASN.1 using OER (Octet Encoding Rules) per ETSI TS 103 097, and Vanetza decodes them through asn1c-generated parsers fronted by asn1c_wrapper.cpp. The root cause is CWE-248 (Uncaught Exception): the certificate-handling path constructs/copies an asn1::EtsiTs103097Certificate during canonicalization, and malformed input causes the underlying wrapper to throw std::runtime_error. The vendor fix (commit 62dfe58a8342512b6e1947d75821402ada524f1a) refactors the canonicalize() function for EtsiTs103097Certificate so the copy construction is wrapped in a try/catch that returns boost::none on any std::exception instead of letting it unwind to std::terminate. The CPE cpe:2.3:a:riebl:vanetza confirms the affected component is the riebl/vanetza codebase.

RemediationAI

Upstream fix available (commit 62dfe58a8342512b6e1947d75821402ada524f1a); a tagged/released patched version is not independently confirmed from the available data, so update to a Vanetza build that incorporates that commit (refer to advisory GHSA-j6cj-rp87-mfrx at https://github.com/riebl/vanetza/security/advisories/GHSA-j6cj-rp87-mfrx). Because the fix is distributed as source, integrators should rebuild and redeploy affected on-board/roadside units rather than expecting a binary release. Until the patched commit can be deployed, compensating controls include wrapping ASN.1/OER parsing calls (and the certificate canonicalization path) in exception handlers that drop the offending message rather than terminating, and restricting which peers can reach the C-ITS receiving endpoint via network segmentation or allow-listing of trusted V2X participants; the trade-off is that exception-swallowing patches must be validated to avoid masking other parser errors, and network restrictions can reduce legitimate V2X interoperability in open road environments. Running the parsing process under a supervisor that auto-restarts on std::terminate is a stopgap that restores availability but does not prevent repeated crashes under sustained malformed traffic.

Share

CVE-2026-43988 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy