Skip to main content

Vanetza EUVDEUVD-2026-32006

| CVE-2026-44905 HIGH
Uncaught Exception (CWE-248)
2026-05-26 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 26, 2026 - 22:11 vuln.today
Analysis Generated
May 26, 2026 - 22:11 vuln.today

DescriptionGitHub Advisory

Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the cryptographic verification pipeline of Vanetza. When processing incoming V2X messages, the ASN.1 decoder accepts the structure as syntactically valid. However, this reveals a logic-based protocol failure where semantic constraints on specific fields are only strictly enforced during OER re-encoding. Specifically, if a crafted packet contains a certificate where the Psid (Provider Service Identifier) sub-type violates subtype constraints (e.g., out-of-range or invalid CHOICE variant), it is accepted during initial parsing, where subtype constraints are not enforced. Later, when StraightVerifyService attempts to calculate a message hash for cryptographic verification, it must re-encode the signing certificate. The underlying ASN.1 wrapper (asn1c_wrapper.cpp) detects the semantic violation during encoding and raises a std::runtime_error. This exception is not caught within the encoding path and propagates to std::terminate, resulting in immediate process termination. This vulnerability is fixed with commit e1a2e2709210d309458c3d77f98d50dec26c0df0.

AnalysisAI

Denial of service in Vanetza (riebl) versions 26.02 and earlier lets remote unauthenticated attackers crash the V2X message-processing daemon by sending a crafted Secured Message whose signing certificate carries an out-of-range or invalid-CHOICE Psid value. The malformed certificate passes the permissive ASN.1 decode step but trips a semantic constraint check during OER re-encoding inside the signature-verification path, raising an exception that is never caught and forcing std::terminate. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the network-reachable, no-authentication, low-complexity profile (CVSS 7.5) makes it a credible availability risk for any node that verifies untrusted V2X traffic.

Technical ContextAI

Vanetza is an open-source C++ implementation of the ETSI Cooperative Intelligent Transport Systems (C-ITS) protocol suite, used in vehicle-to-everything (V2X) communication stacks where nodes continuously receive and cryptographically verify signed messages from untrusted peers. The flaw is a textbook CWE-248 (Uncaught Exception) rooted in inconsistent enforcement of ASN.1 constraints: the inbound decoder accepts a certificate's Psid (Provider Service Identifier) sub-type as syntactically valid without enforcing subtype/value constraints, but the asn1c_wrapper.cpp OER encoder - invoked when v3::calculate_message_hash re-encodes the signing certificate to compute the verification hash - does enforce those constraints and throws a std::runtime_error on violation. Because StraightVerifyService::verify() did not wrap the hash-calculation call in a try/catch, the exception propagated out of the encoding path to std::terminate. The CPE cpe:2.3:a:riebl:vanetza:*:*:*:*:*:*:*:* covers the riebl/vanetza application across all versions up to the fix.

RemediationAI

Upstream fix available (PR/commit); released patched version not independently confirmed - apply the change from commit e1a2e2709210d309458c3d77f98d50dec26c0df0, which wraps the calculate_message_hash call in StraightVerifyService::verify() in a try/catch so that malformed certificate encoding now sets the result to VerificationReport::Incompatible_Protocol instead of letting the exception reach std::terminate; rebuild and redeploy from a branch including that commit, and consult the advisory at https://github.com/riebl/vanetza/security/advisories/GHSA-q9fq-3rx9-7xcv for any tagged release. Because no fixed version number was supplied in the input, do not assume a packaged release exists - build from the patched source if your distribution has not yet shipped it. As an interim compensating control where patching is not immediately possible, restrict which peers can deliver V2X messages to the verification service (network segmentation or upstream filtering of the C-ITS message channel) to limit who can submit crafted certificates, accepting the trade-off that V2X is inherently a broadcast/peer environment so filtering may reduce legitimate interoperability; additionally, run the receiver under a process supervisor that auto-restarts on termination to reduce outage duration, recognizing this only shortens downtime rather than preventing the crash.

Share

EUVD-2026-32006 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy