CVE-2026-37536
Awaiting Analysis Awaiting Analysis - Queue
Stack Buffer Overflow in UDS-C Library

Publication date: 2026-05-01

Last updated on: 2026-05-07

Assigner: MITRE

Description
miaofng/uds-c commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a (2016-10-05) contains a stack buffer overflow in send_diagnostic_request. A 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) receives memcpy at offset 1+pid_length with payload_length bytes. MAX_UDS_REQUEST_PAYLOAD_LENGTH=7, so 1+2+7=10 exceeds buffer by 4 bytes. No bounds check on payload_length before memcpy.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-37536
EUVD
EUVD-2026-26689
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
miaofng uds-c *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

The vulnerability involves a stack buffer overflow in the send_diagnostic_request function of the uds-c library when handling diagnostic requests with payloads exceeding the buffer size. Detection would involve monitoring UDS diagnostic requests on the CAN bus for payload lengths that exceed the expected maximum (greater than 7 bytes payload length).

Since uds-c is used for sending and receiving UDS messages over CAN, you can capture CAN traffic and analyze diagnostic request messages for abnormal payload sizes.

  • Use a CAN bus monitoring tool (e.g., can-utils on Linux) to capture traffic: `candump can0`
  • Filter for UDS diagnostic request messages (e.g., service IDs like 0x10, 0x22) and inspect payload lengths.
  • Look for diagnostic requests where the payload length field exceeds 7 bytes, which could trigger the overflow.

No specific commands from the uds-c library are provided in the resources, but general CAN traffic capture and analysis commands are applicable.

Executive Summary

This vulnerability is a stack buffer overflow found in the miaofng/uds-c project, specifically in the send_diagnostic_request function. The issue arises because a 6-byte stack buffer is used to store data, but the code copies more data than the buffer can hold without checking the length first. This happens when memcpy copies payload_length bytes starting at an offset that causes the total copied data to exceed the buffer size by 4 bytes, leading to a buffer overflow.

Impact Analysis

The buffer overflow can lead to serious security impacts including the potential for an attacker to execute arbitrary code, cause a denial of service by crashing the application, or corrupt memory. The CVSS score of 8.8 indicates a high severity with impacts on confidentiality, integrity, and availability.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

Immediate mitigation steps include preventing the processing of diagnostic requests with payload lengths exceeding the maximum allowed size (7 bytes) to avoid triggering the stack buffer overflow.

Since the vulnerability is in the uds-c library's send_diagnostic_request function, ensure that any software using this library validates payload lengths before sending or processing diagnostic requests.

If possible, update to a patched version of the uds-c library where bounds checking on payload_length is implemented before memcpy operations.

In the short term, restrict or filter incoming CAN diagnostic requests to block those with suspiciously large payloads.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37536. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart