CVE-2026-37537
Awaiting Analysis Awaiting Analysis - Queue
Integer Underflow Leading to Out-of-Bounds Write in Open-SAE-J1939

Publication date: 2026-05-01

Last updated on: 2026-05-07

Assigner: MITRE

Description
collin80/Open-SAE-J1939 thru commit 744024d4306bc387857dfce439558336806acb06 (2023-03-08) contains an integer underflow leading to out-of-bounds write in Transport Protocol Data Transfer handling. At line 23: uint8_t index = data[0] - 1. When data[0] (sequence number from CAN frame) is 0, index underflows to 255. Subsequent write at tp_dt->data[255*7 + i-1] reaches offset 1791, exceeding the MAX_TP_DT buffer (1785 bytes) by 6 bytes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-37537
EUVD
EUVD-2026-26690
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
collin80 open-sae-j1939 *
openxc isotp-c *
miaofng uds-c *
socketcand socketcand *
cannelloni cannelloni *
openamp openamp 2025.10.0
open_vehicle_monitoring_system open_vehicle_monitoring_system 3.3.005
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the collin80/Open-SAE-J1939 project up to commit 744024d4306bc387857dfce439558336806acb06. It is caused by an integer underflow in the Transport Protocol Data Transfer handling code. Specifically, when the sequence number from a CAN frame (data[0]) is 0, subtracting 1 causes the index variable to underflow to 255. This leads to an out-of-bounds write beyond the allocated buffer size, potentially corrupting memory.

Impact Analysis

The integer underflow and subsequent out-of-bounds write can lead to memory corruption. According to the CVSS score, this vulnerability has a high impact on integrity and availability, meaning it could allow an attacker to alter data or cause a denial of service. The attack vector is adjacent network, requiring low attack complexity and no privileges or user interaction.

Compliance Impact

The provided context and resources do not contain information regarding the impact of CVE-2026-37537 on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves an integer underflow in the collin80/Open-SAE-J1939 library when processing CAN frames, specifically when the sequence number in data[0] is zero, causing out-of-bounds writes.

Detection can focus on monitoring CAN frames on your network or system for malformed or crafted CAN frames with a sequence number of zero that trigger the vulnerability.

Since the vulnerability is triggered by specific CAN frames, you can use CAN bus monitoring tools or commands to capture and analyze CAN traffic for frames with data[0] equal to zero.

  • Use a CAN bus sniffer or analyzer (e.g., can-utils on Linux) to capture CAN frames: `candump can0`
  • Filter captured frames to identify those with the first byte (data[0]) equal to zero, which can be done by scripting or using tools like `canplayer` or custom scripts parsing candump output.
  • Look for abnormal or unexpected CAN frames that could cause the integer underflow and out-of-bounds write.
Mitigation Strategies

Immediate mitigation steps should focus on preventing the processing of malformed CAN frames that trigger the integer underflow.

  • Implement input validation to ensure that the sequence number (data[0]) in CAN frames is never zero before processing.
  • Apply patches or updates to the collin80/Open-SAE-J1939 library that fix the integer underflow and buffer overflow issues.
  • If patching is not immediately possible, consider filtering or blocking CAN frames with suspicious or out-of-range sequence numbers at the network or device level.
  • Monitor CAN traffic closely for signs of exploitation attempts and isolate affected systems if suspicious activity is detected.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37537. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart