Skip to main content

openxc isotp-c EUVDEUVD-2026-26688

| CVE-2026-37535 HIGH
Out-of-bounds Read (CWE-125)
2026-05-01 mitre
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 17:31 vuln.today
EUVD ID Assigned
May 01, 2026 - 17:00 euvd
EUVD-2026-26688
Analysis Generated
May 01, 2026 - 17:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
HIGH 7.1

DescriptionCVE.org

openxc/isotp-c thru commit 5a5d19245f65189202719321facd49ce6f5d46ac (2021-08-09) contains an out-of-bounds read in the ISO-TP Single Frame receive handler, where the 4-bit payload length nibble is used directly as the memcpy size without validating it against the actual CAN data length. A malicious CAN frame with an oversized length nibble can cause memory reads beyond the buffer, allowing attackers to cause a denial of service, or gain sensitive information.

AnalysisAI

Out-of-bounds memory read in openxc/isotp-c ISO-TP Single Frame handler allows adjacent network attackers to trigger denial of service or extract sensitive information via malicious CAN frames. The vulnerability exists in all versions through commit 5a5d19245f65 (August 2021) and stems from unchecked use of a 4-bit payload length field directly as memcpy buffer size. EPSS data unavailable; no CISA KEV listing indicates no confirmed widespread exploitation, though publicly available technical analysis exists (GitHub Gist reference).

Technical ContextAI

This vulnerability affects the ISO-TP (ISO 15765-2) protocol implementation in openxc/isotp-c, a C library for handling ISO Transport Protocol over Controller Area Network (CAN) bus systems commonly used in automotive and industrial control applications. The flaw resides in the Single Frame receive handler (src/isotp/receive.c) where ISO-TP encodes payload length in a 4-bit nibble (0-15 bytes). The vulnerable code performs memcpy using this nibble value without first validating it against the actual CAN frame data length (typically 8 bytes for standard CAN). When a crafted CAN frame presents a length nibble larger than the available data, memcpy reads beyond the allocated buffer boundary, accessing adjacent memory regions. This represents a classic CWE-125 (Out-of-bounds Read) pattern, though no CWE was formally assigned to this CVE.

RemediationAI

Apply bounds checking to the ISO-TP Single Frame length nibble before using it as a memcpy size parameter. Review commits after 5a5d19245f65 (post-August 2021) in the openxc/isotp-c repository at https://github.com/openxc/isotp-c for potential fixes, though no specific patched version or vendor security advisory was identified in available references. If upgrading is not immediately feasible, implement input validation at the CAN frame ingestion layer to reject Single Frames where the length nibble exceeds the actual CAN data field size (8 bytes for classical CAN, up to 64 for CAN-FD). This workaround adds processing overhead and may reject malformed but benign frames. For automotive and industrial deployments, employ CAN bus segmentation and gateway filtering to restrict frame injection to trusted ECUs only, reducing adjacent network attack surface - though this defense-in-depth measure does not eliminate the underlying vulnerability and requires hardware/topology changes. Monitor CAN traffic for anomalous Single Frame length patterns as a detection measure. Note: Compensating controls are effective only if attackers lack physical CAN bus access; they do not protect against compromised or malicious ECUs on the same bus segment.

Share

EUVD-2026-26688 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy