CVE-2026-54413
Received Received - Intake
Integer Underflow in driftregion iso14229 UDS Server

Publication date: 2026-06-14

Last updated on: 2026-06-14

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description
driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the Handle_0x27_SecurityAccess() function in iso14229.c that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte 0x27 SecurityAccess request that follows any earlier well-formed 0x27 message. The handler reads the SecurityAccess subFunction from recv_buf[1] without first checking that recv_len is at least 2, then computes the key-data length as the unsigned subtraction (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN); when recv_len equals 1 the result underflows to 65535 and is passed as args.len to the application's SecAccessValidateKey or SecAccessRequestSeed callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (0x10, 0x11, 0x14, 0x19, 0x22, 0x23, 0x28, and others) performs an explicit recv_len lower-bound check before indexing; Handle_0x27_SecurityAccess is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-14
Last Modified
2026-06-14
Generated
2026-06-14
AI Q&A
2026-06-14
EPSS Evaluated
N/A
NVD
CVE-2026-54413
EUVD
EUVD-2026-36664
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
driftregion iso14229 0.9.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the driftregion iso14229 library (version 0.9.0 and earlier) within the Handle_0x27_SecurityAccess() function. It involves an integer underflow and an out-of-bounds read triggered when processing a SecurityAccess request (0x27) in the UDS protocol. Specifically, the function reads a subFunction byte from the receive buffer without verifying that the buffer length is at least two bytes. If a single-byte 0x27 message is sent following a valid 0x27 message, the calculation of key-data length underflows to a very large value (65535). This causes the application to read or copy memory beyond the intended buffer size, potentially leading to a crash or memory disclosure.

This flaw is unique to the 0x27 handler, as other UDS sub-function handlers perform proper length checks before accessing the buffer. The vulnerability affects devices using iso14229 as their UDS server, including automotive ECUs, industrial controllers, and IoT devices, and it can be exploited remotely without authentication over various transport layers like CAN bus, OBD-II, ISO-TP, and DoIP.

Impact Analysis

This vulnerability can impact you by allowing a remote unauthenticated attacker to crash your UDS server, causing denial of service. Additionally, the attacker may be able to read memory beyond the receive buffer, potentially exposing sensitive information stored in memory.

Since the vulnerability is exploitable remotely without authentication and affects embedded systems such as automotive ECUs, industrial controllers, and IoT devices, it can lead to operational disruptions and leakage of confidential data in these environments.

Detection Guidance

This vulnerability can be detected by monitoring for anomalous or malformed UDS SecurityAccess (0x27) requests on your network or system, specifically single-byte 0x27 messages that follow a well-formed 0x27 message. Such packets may trigger the integer underflow and out-of-bounds read.

Detection can involve capturing CAN bus, OBD-II, ISO-TP, or DoIP traffic and filtering for 0x27 SecurityAccess requests with a length of 1 byte.

Example commands using common tools might include:

  • Using can-utils on Linux to capture and filter CAN traffic: `candump can0 | grep "27"` to identify SecurityAccess requests.
  • Using Wireshark with a filter for UDS SecurityAccess service: `uds.service == 0x27` and inspecting packet lengths to find single-byte requests.
  • Using tcpdump or tshark on DoIP networks to filter for packets containing the 0x27 byte and checking their payload length.

Because the vulnerability triggers on a single-byte 0x27 request following a valid 0x27 message, detection should focus on sequences of such messages and their lengths.

Mitigation Strategies

Immediate mitigation steps include:

  • Implement input validation to ensure that the length of received SecurityAccess (0x27) requests is at least 2 bytes before processing.
  • Apply patches or updates to the iso14229 library that fix the integer underflow and out-of-bounds read in the Handle_0x27_SecurityAccess() function.
  • If patching is not immediately possible, consider blocking or filtering single-byte 0x27 SecurityAccess requests at the network level to prevent exploitation.
  • Restrict access to the UDS server by limiting exposure of CAN bus, OBD-II, ISO-TP, and DoIP transports to trusted networks or authenticated users.
  • Monitor logs and network traffic for suspicious 0x27 SecurityAccess requests and anomalous crashes or memory reads.
Compliance Impact

The provided context and resources do not contain information regarding the impact of CVE-2026-54413 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54413. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart