Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the ASN.1/OER parsing pipeline of Vanetza. When processing malformed network packets containing corrupted ASN.1/OER structures (e.g., invalid length fields or malformed certificate encoding), the ASN.1 wrapper (asn1c_wrapper.cpp) raises a std::runtime_error. This exception is not caught at the parsing boundary and propagates to std::terminate, resulting in process termination. This vulnerability is fixed with commit 62dfe58a8342512b6e1947d75821402ada524f1a.
AnalysisAI
Remote denial of service in Vanetza 26.02 and earlier lets unauthenticated attackers crash the C-ITS protocol stack by sending malformed network packets containing corrupted ASN.1/OER structures, such as invalid length fields or malformed certificate encodings. The ASN.1 wrapper (asn1c_wrapper.cpp) raises a std::runtime_error that is never caught at the parsing boundary, so it propagates to std::terminate and kills the process. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV; EPSS data was not provided.
Technical ContextAI
Vanetza is an open-source implementation of the ETSI Cooperative Intelligent Transport Systems (C-ITS) protocol suite used in vehicle-to-everything (V2X) communications, where roadside units and on-board units exchange signed ITS messages. These messages and their security certificates are encoded with ASN.1 using OER (Octet Encoding Rules) per ETSI TS 103 097, and Vanetza decodes them through asn1c-generated parsers fronted by asn1c_wrapper.cpp. The root cause is CWE-248 (Uncaught Exception): the certificate-handling path constructs/copies an asn1::EtsiTs103097Certificate during canonicalization, and malformed input causes the underlying wrapper to throw std::runtime_error. The vendor fix (commit 62dfe58a8342512b6e1947d75821402ada524f1a) refactors the canonicalize() function for EtsiTs103097Certificate so the copy construction is wrapped in a try/catch that returns boost::none on any std::exception instead of letting it unwind to std::terminate. The CPE cpe:2.3:a:riebl:vanetza confirms the affected component is the riebl/vanetza codebase.
RemediationAI
Upstream fix available (commit 62dfe58a8342512b6e1947d75821402ada524f1a); a tagged/released patched version is not independently confirmed from the available data, so update to a Vanetza build that incorporates that commit (refer to advisory GHSA-j6cj-rp87-mfrx at https://github.com/riebl/vanetza/security/advisories/GHSA-j6cj-rp87-mfrx). Because the fix is distributed as source, integrators should rebuild and redeploy affected on-board/roadside units rather than expecting a binary release. Until the patched commit can be deployed, compensating controls include wrapping ASN.1/OER parsing calls (and the certificate canonicalization path) in exception handlers that drop the offending message rather than terminating, and restricting which peers can reach the C-ITS receiving endpoint via network segmentation or allow-listing of trusted V2X participants; the trade-off is that exception-swallowing patches must be validated to avoid masking other parser errors, and network restrictions can reduce legitimate V2X interoperability in open road environments. Running the parsing process under a supervisor that auto-restarts on std::terminate is a stopgap that restores availability but does not prevent repeated crashes under sustained malformed traffic.
Same weakness CWE-248 – Uncaught Exception
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32005