CVE-2026-37537
Integer Underflow Leading to Out-of-Bounds Write in Open-SAE-J1939
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| collin80 | open-sae-j1939 | * |
| openxc | isotp-c | * |
| miaofng | uds-c | * |
| socketcand | socketcand | * |
| cannelloni | cannelloni | * |
| openamp | openamp | 2025.10.0 |
| open_vehicle_monitoring_system | open_vehicle_monitoring_system | 3.3.005 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the collin80/Open-SAE-J1939 project up to commit 744024d4306bc387857dfce439558336806acb06. It is caused by an integer underflow in the Transport Protocol Data Transfer handling code. Specifically, when the sequence number from a CAN frame (data[0]) is 0, subtracting 1 causes the index variable to underflow to 255. This leads to an out-of-bounds write beyond the allocated buffer size, potentially corrupting memory.
How can this vulnerability impact me? :
The integer underflow and subsequent out-of-bounds write can lead to memory corruption. According to the CVSS score, this vulnerability has a high impact on integrity and availability, meaning it could allow an attacker to alter data or cause a denial of service. The attack vector is adjacent network, requiring low attack complexity and no privileges or user interaction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not contain information regarding the impact of CVE-2026-37537 on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an integer underflow in the collin80/Open-SAE-J1939 library when processing CAN frames, specifically when the sequence number in data[0] is zero, causing out-of-bounds writes.
Detection can focus on monitoring CAN frames on your network or system for malformed or crafted CAN frames with a sequence number of zero that trigger the vulnerability.
Since the vulnerability is triggered by specific CAN frames, you can use CAN bus monitoring tools or commands to capture and analyze CAN traffic for frames with data[0] equal to zero.
- Use a CAN bus sniffer or analyzer (e.g., can-utils on Linux) to capture CAN frames: `candump can0`
- Filter captured frames to identify those with the first byte (data[0]) equal to zero, which can be done by scripting or using tools like `canplayer` or custom scripts parsing candump output.
- Look for abnormal or unexpected CAN frames that could cause the integer underflow and out-of-bounds write.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps should focus on preventing the processing of malformed CAN frames that trigger the integer underflow.
- Implement input validation to ensure that the sequence number (data[0]) in CAN frames is never zero before processing.
- Apply patches or updates to the collin80/Open-SAE-J1939 library that fix the integer underflow and buffer overflow issues.
- If patching is not immediately possible, consider filtering or blocking CAN frames with suspicious or out-of-range sequence numbers at the network or device level.
- Monitor CAN traffic closely for signs of exploitation attempts and isolate affected systems if suspicious activity is detected.