Iso14229
Monthly
Integer underflow and out-of-bounds read in driftregion iso14229 through version 0.9.0 allows remote unauthenticated attackers to crash a UDS server or read up to 65535 bytes of memory past the 4KB receive buffer by sending a single-byte 0x27 SecurityAccess diagnostic request. The Handle_0x27_SecurityAccess() function in iso14229.c at line 1447 fails to validate that recv_len is at least 2 before computing key-data length via unsigned subtraction, uniquely among all other sub-function handlers in the library. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental metric E:P indicates publicly available exploit code exists, and the vulnerability is exposed across CAN bus, OBD-II, ISO-TP, and DoIP transports in the default diagnostic session on automotive ECUs, industrial controllers, and IoT devices.
Integer underflow and out-of-bounds read in driftregion iso14229 through version 0.9.0 allows remote unauthenticated attackers to crash a UDS server or read up to 65535 bytes of memory past the 4KB receive buffer by sending a single-byte 0x27 SecurityAccess diagnostic request. The Handle_0x27_SecurityAccess() function in iso14229.c at line 1447 fails to validate that recv_len is at least 2 before computing key-data length via unsigned subtraction, uniquely among all other sub-function handlers in the library. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental metric E:P indicates publicly available exploit code exists, and the vulnerability is exposed across CAN bus, OBD-II, ISO-TP, and DoIP transports in the default diagnostic session on automotive ECUs, industrial controllers, and IoT devices.