Skip to main content

uds-c EUVDEUVD-2026-26689

| CVE-2026-37536 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-05-01 mitre
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 17:31 vuln.today
EUVD ID Assigned
May 01, 2026 - 17:00 euvd
EUVD-2026-26689
Analysis Generated
May 01, 2026 - 17:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
HIGH 8.8

DescriptionCVE.org

miaofng/uds-c commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a (2016-10-05) contains a stack buffer overflow in send_diagnostic_request. A 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) receives memcpy at offset 1+pid_length with payload_length bytes. MAX_UDS_REQUEST_PAYLOAD_LENGTH=7, so 1+2+7=10 exceeds buffer by 4 bytes. No bounds check on payload_length before memcpy.

AnalysisAI

Stack buffer overflow in miaofng/uds-c library allows adjacent network attackers to execute arbitrary code via crafted diagnostic payload. The send_diagnostic_request function allocates only 6 bytes for MAX_DIAGNOSTIC_PAYLOAD_SIZE but accepts up to 7 bytes of payload (MAX_UDS_REQUEST_PAYLOAD_LENGTH), enabling 4-byte overflow when combined with pid_length=2. Affects commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a from October 2016 and likely later versions unless patched. No CISA KEV listing or EPSS data indicates exploitation remains theoretical; vulnerability appears in automotive diagnostic library with limited deployment exposure.

Technical ContextAI

The vulnerability exists in uds-c, a C implementation of the Unified Diagnostic Services (UDS) protocol used in automotive ECU communication (ISO 14229). The send_diagnostic_request function performs a memcpy operation into a 6-byte stack buffer starting at offset 1+pid_length (typically 1+2=3) for payload_length bytes. With MAX_UDS_REQUEST_PAYLOAD_LENGTH defined as 7, the maximum write is 1+2+7=10 bytes into a 6-byte buffer, creating a 4-byte overflow. The vulnerability stems from missing bounds validation on the payload_length parameter before the memcpy call, a classic CWE-120 (Buffer Copy without Checking Size of Input) pattern. This library appears to be a fork or variant of the OpenXC uds-c implementation, suggesting the vulnerability may exist in related codebases.

RemediationAI

Review the vulnerability analysis at https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 for technical details. Check upstream repositories (miaofng/uds-c and openxc/uds-c) for commits adding bounds validation on payload_length parameter in send_diagnostic_request function; no specific patched version number is confirmed from available data. If using affected commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a or nearby versions, apply source-level patch adding check: if (1 + pid_length + payload_length > MAX_DIAGNOSTIC_PAYLOAD_SIZE) return error before memcpy. For embedded systems where patching is infeasible, implement network-layer mitigations: restrict access to diagnostic interfaces using firewall rules allowing only trusted diagnostic tools, deploy network segmentation isolating vehicle/CAN networks from untrusted adjacent networks, and implement message filtering to reject UDS requests exceeding safe payload sizes at the gateway level. Note that disabling diagnostic services may impact legitimate maintenance and telemetry functions. Systems using this library only on physically isolated test benches face lower risk than production vehicle deployments.

Share

EUVD-2026-26689 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy