Skip to main content

iso14229 CVE-2026-54413

| EUVD-2026-36664 HIGH
Integer Underflow (CWE-191)
2026-06-14 TuranSec GHSA-36r7-c6f4-gj9g
Integer Overflow Buffer Overflow Iso14229
7.8
CVSS 4.0 · Vendor: TuranSec
Share

Severity by source

Vendor (TuranSec) PRIMARY
7.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:D/RE:X/U:X
vuln.today AI
8.2 HIGH

Network-reachable via DoIP with no authentication (PR:N); OOB read yields limited memory disclosure (C:L); reliable crash of UDS server (A:H); no integrity impact; scope stays within the server process (S:U).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (TuranSec).

CVSS VectorVendor: TuranSec

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:D/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 14, 2026 - 18:28 vuln.today

DescriptionCVE.org

driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the Handle_0x27_SecurityAccess() function in iso14229.c that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte 0x27 SecurityAccess request that follows any earlier well-formed 0x27 message. The handler reads the SecurityAccess subFunction from recv_buf[1] without first checking that recv_len is at least 2, then computes the key-data length as the unsigned subtraction (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN); when recv_len equals 1 the result underflows to 65535 and is passed as args.len to the application's SecAccessValidateKey or SecAccessRequestSeed callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (0x10, 0x11, 0x14, 0x19, 0x22, 0x23, 0x28, and others) performs an explicit recv_len lower-bound check before indexing; Handle_0x27_SecurityAccess is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected.

AnalysisAI

Integer underflow and out-of-bounds read in driftregion iso14229 through version 0.9.0 allows remote unauthenticated attackers to crash a UDS server or read up to 65535 bytes of memory past the 4KB receive buffer by sending a single-byte 0x27 SecurityAccess diagnostic request. The Handle_0x27_SecurityAccess() function in iso14229.c at line 1447 fails to validate that recv_len is at least 2 before computing key-data length via unsigned subtraction, uniquely among all other sub-function handlers in the library. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify DoIP or ISO-TP diagnostic endpoint
Delivery
Send well-formed 0x27 SecurityAccess seed request
Exploit
Send single-byte 0x27 malformed request
Execution
Trigger uint16_t underflow to length 65535
Persist
Callback iterates 65535 bytes past 4KB receive buffer
Impact
UDS server crash (DoS) or OOB memory read
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Two concrete conditions must be met: (1) the attacker must have already sent any syntactically well-formed 0x27 SecurityAccess message to the target UDS server in the same session - this is a trivial prerequisite achievable with a single valid diagnostic frame; (2) the target must be running driftregion iso14229 version 0.9.0 or earlier as its UDS server. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VA:H, score 7.8) accurately reflects the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to a vehicle's DoIP diagnostic interface (e.g., via an Ethernet-enabled OBD-II adapter or telematics gateway) first sends any syntactically valid 0x27 SecurityAccess request to satisfy the sequencing prerequisite, then immediately sends a one-byte 0x27 frame. The UDS server's Handle_0x27_SecurityAccess() computes a key-data length of 65535 and passes it to the application's seed/key callback, which crashes the server or leaks stack/heap memory contents back to the attacker. …
Remediation No vendor-released patch identified at time of analysis; the upstream fix version has not been independently confirmed from available references. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Conduct comprehensive inventory of all systems running driftregion iso14229 v0.9.0 or earlier, prioritizing automotive and industrial control deployments; immediately isolate or disable publicly-facing diagnostic interfaces. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54413 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy