CVE-2026-37530
Stack Buffer Overflow in AGL agl-service-can-low-level
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| agl | agl-service-can-low-level | to 17.1.12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stack buffer overflow found in the uds-c library of the AGL agl-service-can-low-level software up to version 17.1.12. Specifically, the function send_diagnostic_request allocates a 6-byte buffer on the stack but copies up to 7 bytes into it without proper bounds checking. This causes 1 to 4 bytes of overflow on the stack, which can overwrite important data such as the return address.
The overflow occurs because the payload_length field, which determines how many bytes are copied, is not checked against the size of the destination buffer. On 32-bit ARM automotive ECUs that lack stack canaries, this overflow can lead to overwriting the return address and potentially allow remote code execution (RCE).
How can this vulnerability impact me? :
This vulnerability can have serious impacts, especially in automotive environments using 32-bit ARM ECUs without stack protection. An attacker could exploit the stack buffer overflow to overwrite the return address on the stack, leading to remote code execution.
Remote code execution could allow an attacker to run arbitrary code on the affected device, potentially compromising the integrity and safety of automotive systems that rely on this software.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually large or malformed UDS (Unified Diagnostic Services) payloads sent over the CAN service API, as the overflow occurs when the payload length exceeds the fixed buffer size.
One approach is to capture CAN traffic and filter for diagnostic requests with payload lengths greater than 6 bytes, which exceed the buffer size in the vulnerable function.
- Use a CAN bus monitoring tool (e.g., can-utils) to capture traffic: `candump can0`
- Filter diagnostic requests with payload length > 6 bytes using a script or tool analyzing the captured data.
- On the system running the vulnerable service, check logs or enable debugging to detect abnormal UDS requests.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the CAN service API to trusted sources only, to prevent attackers from sending malicious UDS requests.
Additionally, applying patches or updates from the vendor that fix the buffer overflow by adding proper bounds checking on the payload length is critical.
If patches are not yet available, consider implementing network-level filtering to block diagnostic requests with payloads exceeding the safe length.