Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-56790 is an off-by-one global buffer overflow vulnerability in the CANBoat software, specifically in the searchForPgn() function located in analyzer/pgn.c. This function performs a binary search on a PGN (Parameter Group Number) lookup table. Due to incorrect initialization and loop conditions, the search can read one element past the end of the pgnList array when processing a PGN value larger than any entry in the table.

An attacker can exploit this by sending a specially crafted NMEA-2000 message with an out-of-range PGN value over the CAN bus or N2K-over-IP. This causes an out-of-bounds array access, leading to a crash or denial of service of the application.

The root cause is that the binary search uses a closed range with the loop condition 'while (start <= end)', allowing the search to proceed beyond valid array bounds. The fix involves changing the search to use a half-open range with 'start < end' and adding range checks to prevent invalid memory access.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited by remote attackers to cause a denial of service (DoS) by crashing any CANBoat-based application that processes NMEA-2000 messages. This includes analyzers, gateways, decoders, CLI tools, network daemons, and log parsers.

Since the attack requires only a single crafted NMEA-2000 message with an out-of-range PGN value, it can be triggered without authentication or user interaction, making it a significant risk for systems relying on CANBoat for processing CAN bus or N2K-over-IP data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or denial-of-service conditions in CANBoat-based analyzers, gateways, or decoders when they process NMEA-2000 messages containing out-of-range Parameter Group Number (PGN) values.

Detection involves identifying specially crafted NMEA-2000 messages with PGN values larger than the maximum expected in the pgnList database, which trigger out-of-bounds array access.

While no specific commands are provided in the resources, you can monitor CAN bus or N2K-over-IP traffic for unusual or out-of-range PGN values using tools that capture and analyze CAN or NMEA-2000 messages.

• Use CAN bus sniffing tools (e.g., can-utils) to capture traffic and filter for PGN values exceeding the known maximum.
• Check application logs or run CANBoat with AddressSanitizer enabled to detect buffer overflow crashes triggered by malformed PGNs.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to update CANBoat to a version that includes the fix committed in commit a5a22b7 or later.

The fix corrects the binary search bounds in the searchForPgn() function to prevent out-of-bounds reads by changing the loop condition from a closed range to a half-open range and adding input range checks.

Until the update can be applied, consider filtering or blocking NMEA-2000 messages with PGN values that exceed the known valid range to prevent triggering the vulnerability.

• Apply the patch from commit a5a22b7 or upgrade to a fixed CANBoat version.
• Implement network-level filtering on CAN bus or N2K-over-IP to reject messages with out-of-range PGNs.
• Monitor for crashes and restart affected services promptly to maintain availability.

Useful 0 Not Useful 0