Skip to main content

CANBoat CVE-2026-56790

| EUVDEUVD-2026-39532 HIGH
Off-by-one Error (CWE-193)
2026-06-25 VulnCheck GHSA-p2cc-x7hq-6jvm
7.0
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.0 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.5 MEDIUM

Analyzer must be run by an operator over attacker-supplied input (UI:R, AV:L, PR:N); impact is a crash only, so availability-high with no confidentiality or integrity impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 25, 2026 - 18:50 vuln.today
Analysis Generated
Jun 25, 2026 - 18:50 vuln.today

DescriptionCVE.org

CANBoat through 6.22, fixed in commit a5a22b7, contains an off-by-one global buffer overflow in the searchForPgn() function in analyzer/pgn.c that allows remote attackers to crash the application. Attackers can deliver a crafted NMEA-2000 message with an out-of-range PGN value over CAN bus or N2K-over-IP to trigger an out-of-bounds array access and denial of service.

AnalysisAI

Denial of service in CANBoat (the open-source NMEA 2000/CAN bus analyzer) through version 6.22 allows attackers to crash the analyzer by delivering a crafted NMEA-2000 message containing an out-of-range PGN value. The flaw is an off-by-one global buffer overflow in the searchForPgn() binary-search routine in analyzer/pgn.c, where an out-of-range PGN causes a one-element read past the end of the pgnList[] table. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain access to CAN bus or N2K-over-IP feed
Delivery
Craft N2K message with out-of-range PGN (e.g. 393216)
Exploit
Operator runs analyzer over the feed
Execution
searchForPgn() reads pgnList[pgnListSize] off-by-one
Impact
Process crashes, decoding denied

Vulnerability AssessmentAI

Exploitation Exploitation requires the CANBoat analyzer to process attacker-controlled NMEA-2000 message data and the crafted message to carry a PGN value larger than every entry in the analyzer's pgnList[] table (the published PoC uses 393216; other out-of-range values such as 524287, 1000000, and 16777215 also trigger it). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent toward a moderate, availability-only risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to the marine CAN bus or to an N2K-over-IP feed injects a single NMEA-2000 frame carrying an out-of-range PGN (e.g., the public PoC value 393216, larger than any entry in pgnList[]). When an operator runs the CANBoat analyzer against that traffic, searchForPgn() reads one element past the PGN table and the process crashes, denying decoding of subsequent navigation/instrument data. …
Remediation Upstream fix available (PR/commit); a released patched version is not independently confirmed from the input - update CANBoat to a build that includes commit a5a22b7 (PR #649), which is past the 6.22 release line. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all CANBoat deployments; identify current versions and determine which systems are running version 6.22 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56790 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy