Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Analyzer must be run by an operator over attacker-supplied input (UI:R, AV:L, PR:N); impact is a crash only, so availability-high with no confidentiality or integrity impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
CANBoat through 6.22, fixed in commit a5a22b7, contains an off-by-one global buffer overflow in the searchForPgn() function in analyzer/pgn.c that allows remote attackers to crash the application. Attackers can deliver a crafted NMEA-2000 message with an out-of-range PGN value over CAN bus or N2K-over-IP to trigger an out-of-bounds array access and denial of service.
AnalysisAI
Denial of service in CANBoat (the open-source NMEA 2000/CAN bus analyzer) through version 6.22 allows attackers to crash the analyzer by delivering a crafted NMEA-2000 message containing an out-of-range PGN value. The flaw is an off-by-one global buffer overflow in the searchForPgn() binary-search routine in analyzer/pgn.c, where an out-of-range PGN causes a one-element read past the end of the pgnList[] table. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the CANBoat analyzer to process attacker-controlled NMEA-2000 message data and the crafted message to carry a PGN value larger than every entry in the analyzer's pgnList[] table (the published PoC uses 393216; other out-of-range values such as 524287, 1000000, and 16777215 also trigger it). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent toward a moderate, availability-only risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to the marine CAN bus or to an N2K-over-IP feed injects a single NMEA-2000 frame carrying an out-of-range PGN (e.g., the public PoC value 393216, larger than any entry in pgnList[]). When an operator runs the CANBoat analyzer against that traffic, searchForPgn() reads one element past the PGN table and the process crashes, denying decoding of subsequent navigation/instrument data. … |
| Remediation | Upstream fix available (PR/commit); a released patched version is not independently confirmed from the input - update CANBoat to a build that includes commit a5a22b7 (PR #649), which is past the 6.22 release line. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all CANBoat deployments; identify current versions and determine which systems are running version 6.22 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-193 – Off-by-one Error
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39532
GHSA-p2cc-x7hq-6jvm