CVE-2026-37536
Stack Buffer Overflow in UDS-C Library
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| miaofng | uds-c | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves a stack buffer overflow in the send_diagnostic_request function of the uds-c library when handling diagnostic requests with payloads exceeding the buffer size. Detection would involve monitoring UDS diagnostic requests on the CAN bus for payload lengths that exceed the expected maximum (greater than 7 bytes payload length).
Since uds-c is used for sending and receiving UDS messages over CAN, you can capture CAN traffic and analyze diagnostic request messages for abnormal payload sizes.
- Use a CAN bus monitoring tool (e.g., can-utils on Linux) to capture traffic: `candump can0`
- Filter for UDS diagnostic request messages (e.g., service IDs like 0x10, 0x22) and inspect payload lengths.
- Look for diagnostic requests where the payload length field exceeds 7 bytes, which could trigger the overflow.
No specific commands from the uds-c library are provided in the resources, but general CAN traffic capture and analysis commands are applicable.
Can you explain this vulnerability to me?
This vulnerability is a stack buffer overflow found in the miaofng/uds-c project, specifically in the send_diagnostic_request function. The issue arises because a 6-byte stack buffer is used to store data, but the code copies more data than the buffer can hold without checking the length first. This happens when memcpy copies payload_length bytes starting at an offset that causes the total copied data to exceed the buffer size by 4 bytes, leading to a buffer overflow.
How can this vulnerability impact me? :
The buffer overflow can lead to serious security impacts including the potential for an attacker to execute arbitrary code, cause a denial of service by crashing the application, or corrupt memory. The CVSS score of 8.8 indicates a high severity with impacts on confidentiality, integrity, and availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the processing of diagnostic requests with payload lengths exceeding the maximum allowed size (7 bytes) to avoid triggering the stack buffer overflow.
Since the vulnerability is in the uds-c library's send_diagnostic_request function, ensure that any software using this library validates payload lengths before sending or processing diagnostic requests.
If possible, update to a patched version of the uds-c library where bounds checking on payload_length is implemented before memcpy operations.
In the short term, restrict or filter incoming CAN diagnostic requests to block those with suspiciously large payloads.