Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
AGL agl-service-can-low-level contains a stack buffer overflow in the uds-c library. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) via memcpy at an offset of 1+pid_length (2-3 bytes), resulting in 1-4 bytes of controlled stack overflow. The payload_length field (uint8_t) has no bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries, this can lead to return address overwrite and RCE.
AnalysisAI
Stack buffer overflow in AGL agl-service-can-low-level's uds-c library enables remote code execution on vulnerable automotive ECUs. The send_diagnostic_request function copies up to 7 bytes into a 6-byte stack buffer without bounds checking, allowing 1-4 bytes of controlled stack corruption. On 32-bit ARM ECUs without stack canaries (common in automotive deployments), attackers can overwrite return addresses to achieve arbitrary code execution. CVSS 7.5 with network attack vector and no authentication required indicates critical exposure, though CVSS impact vector (C:N/I:N/A:H) appears inconsistent with RCE capability described - vendor assessment may undervalue confidentiality/integrity impact of code execution.
Technical ContextAI
The vulnerability resides in the Unified Diagnostic Services (UDS) implementation within agl-service-can-low-level, a CAN bus diagnostic service component of Automotive Grade Linux. UDS is an ISO 14229 protocol for automotive diagnostics over CAN networks. The flaw is a classic CWE-121 stack-based buffer overflow: send_diagnostic_request() in uds.c defines MAX_DIAGNOSTIC_PAYLOAD_SIZE as 6 bytes but attempts to copy MAX_UDS_REQUEST_PAYLOAD_LENGTH (7 bytes) via memcpy at offset 1+pid_length (2-3 bytes total offset). With an unchecked uint8_t payload_length field, an attacker can trigger memcpy to write beyond the 6-byte boundary. The CPE string is generic (n/a:n/a), indicating affected product enumeration is incomplete. Automotive ECUs typically run on 32-bit ARM without modern exploit mitigations like stack canaries or ASLR, making return-oriented programming and direct return address overwrite trivial.
RemediationAI
Apply vendor security patch when released by Automotive Grade Linux project - monitor https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level for commits addressing CVE-2026-42485. Technical analysis at https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 may contain additional mitigation guidance. Until patched version is available, implement network-level isolation: restrict CAN bus diagnostic service access to authenticated service networks only, disable external telematics routing to UDS endpoints, and block OBD-II port network bridging in production vehicles. For ECU deployments, recompile agl-service-can-low-level with stack canaries enabled (-fstack-protector-strong) and position-independent code to provide exploit mitigation layers, though this requires build environment access and may impact real-time performance constraints. Input validation workaround: if source modification is feasible, add explicit bounds check before memcpy to ensure payload_length + 1 + pid_length does not exceed MAX_DIAGNOSTIC_PAYLOAD_SIZE (6 bytes). Network segmentation is the most practical immediate control for operational vehicle fleets.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26698