Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the cryptographic verification pipeline of Vanetza. When processing incoming V2X messages, the ASN.1 decoder accepts the structure as syntactically valid. However, this reveals a logic-based protocol failure where semantic constraints on specific fields are only strictly enforced during OER re-encoding. Specifically, if a crafted packet contains a certificate where the Psid (Provider Service Identifier) sub-type violates subtype constraints (e.g., out-of-range or invalid CHOICE variant), it is accepted during initial parsing, where subtype constraints are not enforced. Later, when StraightVerifyService attempts to calculate a message hash for cryptographic verification, it must re-encode the signing certificate. The underlying ASN.1 wrapper (asn1c_wrapper.cpp) detects the semantic violation during encoding and raises a std::runtime_error. This exception is not caught within the encoding path and propagates to std::terminate, resulting in immediate process termination. This vulnerability is fixed with commit e1a2e2709210d309458c3d77f98d50dec26c0df0.
AnalysisAI
Denial of service in Vanetza (riebl) versions 26.02 and earlier lets remote unauthenticated attackers crash the V2X message-processing daemon by sending a crafted Secured Message whose signing certificate carries an out-of-range or invalid-CHOICE Psid value. The malformed certificate passes the permissive ASN.1 decode step but trips a semantic constraint check during OER re-encoding inside the signature-verification path, raising an exception that is never caught and forcing std::terminate. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the network-reachable, no-authentication, low-complexity profile (CVSS 7.5) makes it a credible availability risk for any node that verifies untrusted V2X traffic.
Technical ContextAI
Vanetza is an open-source C++ implementation of the ETSI Cooperative Intelligent Transport Systems (C-ITS) protocol suite, used in vehicle-to-everything (V2X) communication stacks where nodes continuously receive and cryptographically verify signed messages from untrusted peers. The flaw is a textbook CWE-248 (Uncaught Exception) rooted in inconsistent enforcement of ASN.1 constraints: the inbound decoder accepts a certificate's Psid (Provider Service Identifier) sub-type as syntactically valid without enforcing subtype/value constraints, but the asn1c_wrapper.cpp OER encoder - invoked when v3::calculate_message_hash re-encodes the signing certificate to compute the verification hash - does enforce those constraints and throws a std::runtime_error on violation. Because StraightVerifyService::verify() did not wrap the hash-calculation call in a try/catch, the exception propagated out of the encoding path to std::terminate. The CPE cpe:2.3:a:riebl:vanetza:*:*:*:*:*:*:*:* covers the riebl/vanetza application across all versions up to the fix.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed - apply the change from commit e1a2e2709210d309458c3d77f98d50dec26c0df0, which wraps the calculate_message_hash call in StraightVerifyService::verify() in a try/catch so that malformed certificate encoding now sets the result to VerificationReport::Incompatible_Protocol instead of letting the exception reach std::terminate; rebuild and redeploy from a branch including that commit, and consult the advisory at https://github.com/riebl/vanetza/security/advisories/GHSA-q9fq-3rx9-7xcv for any tagged release. Because no fixed version number was supplied in the input, do not assume a packaged release exists - build from the patched source if your distribution has not yet shipped it. As an interim compensating control where patching is not immediately possible, restrict which peers can deliver V2X messages to the verification service (network segmentation or upstream filtering of the C-ITS message channel) to limit who can submit crafted certificates, accepting the trade-off that V2X is inherently a broadcast/peer environment so filtering may reduce legitimate interoperability; additionally, run the receiver under a process supervisor that auto-restarts on termination to reduce outage duration, recognizing this only shortens downtime rather than preventing the crash.
Same weakness CWE-248 – Uncaught Exception
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32006