Skip to main content

AGL agl-service-can-low-level EUVDEUVD-2026-26686

| CVE-2026-37532 HIGH
Buffer Over-read (CWE-126)
2026-05-01 mitre
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 17:33 vuln.today
EUVD ID Assigned
May 01, 2026 - 17:00 euvd
EUVD-2026-26686
Analysis Generated
May 01, 2026 - 17:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
HIGH 7.1

DescriptionCVE.org

AGL agl-service-can-low-level thru 17.1.12 contains a heap buffer over-read in the isotp-c library. In isotp_continue_receive (receive.c:87-89), the payload_length for a Single Frame is extracted from a 4-bit nibble in the CAN frame data, yielding values 0-15. However, a standard CAN frame is only 8 bytes, with payload starting at data[1] (7 bytes available). When payload_length exceeds the available data (e.g., nibble=15 but only 7 payload bytes exist), memcpy(message.payload, &data[1], payload_length) reads up to 8 bytes past the end of the data buffer.

AnalysisAI

Heap buffer over-read in AGL agl-service-can-low-level through version 17.1.12 allows adjacent network attackers to disclose memory contents and cause denial of service without authentication. The vulnerability stems from improper bounds checking in the isotp-c library's Single Frame handling, where a 4-bit payload length field (0-15) is trusted without validating against the 7-byte CAN frame payload capacity, enabling reads up to 8 bytes beyond the buffer. CVSS 7.1 (High) reflects adjacent network attack vector with low confidentiality and high availability impact. No public exploit code or active exploitation confirmed at time of analysis, though the specific line numbers and technical details in the description lower exploitation barriers.

Technical ContextAI

The vulnerability resides in the ISO-TP (ISO 15765-2) transport protocol implementation used for CAN (Controller Area Network) bus communication in Automotive Grade Linux. ISO-TP segments messages across multiple CAN frames; Single Frames carry short messages in one frame. The CAN 2.0 standard limits data payloads to 8 bytes. In isotp_continue_receive (receive.c:87-89), the code extracts payload_length from the upper nibble of data[0] (4 bits, yielding 0-15), then immediately copies that many bytes from data[1] onward via memcpy. Since data[1] through data[7] provides only 7 bytes of actual payload space in a standard CAN frame, any payload_length value 8-15 triggers a heap over-read, accessing uninitialized or adjacent heap memory. This is a classic integer-to-pointer conversion issue where protocol-level constraints (4-bit field) are not validated against implementation-level constraints (buffer size). The affected CPE string is incomplete (cpe:2.3:a:n/a:n/a), indicating limited structured product identification data, but the Gerrit repository confirms this is the agl-service-can-low-level component of Automotive Grade Linux.

RemediationAI

Review the technical analysis and proof-of-concept at https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 to understand the exact vulnerable code path. Check the upstream Gerrit repository (https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level) for patches or commits addressing receive.c line 87-89 bounds validation. As of this analysis, no vendor-released patched version number is confirmed. If a patched AGL distribution or updated agl-service-can-low-level package becomes available, upgrade immediately. In the absence of an official patch, implement the following compensating controls with their trade-offs: (1) Add input validation in isotp_continue_receive to clamp payload_length to min(nibble_value, 7) before memcpy - requires source code modification and rebuild, may break with future upstream merges. (2) Deploy CAN bus firewall rules or gateway filtering to drop Single Frame CAN messages with payload_length nibble values 8-15 - reduces attack surface but may block legitimate oversized frames if any protocol extensions use them, risking functional regressions. (3) Restrict physical and network access to CAN bus interfaces (OBD-II port locks, disable diagnostic protocols on production vehicles) - limits attacker proximity but impedes legitimate diagnostics and may not be feasible for fleet telematics. (4) Enable memory safety protections (AddressSanitizer in development, heap canaries in production builds) to detect over-reads at runtime - increases memory overhead by 20-30 percent and may cause crashes instead of silent corruption, potentially triggering fail-safe modes in safety-critical systems.

Share

EUVD-2026-26686 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy