CVE-2026-14605
Received Received - Intake

Stack-Based Buffer Overflow in RT-Thread ls1c CAN Handler

Vulnerability report for CVE-2026-14605, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: VulDB

Description

A vulnerability was identified in RT-Thread up to 5.0.2. Affected by this vulnerability is the function recvmsg in the library bsp/loongson/ls1cdev/libraries/ls1c_can.h of the component ls1c CAN Handler. Such manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-04
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
rt-thread rt-thread 5.0.2
rt-thread rt-thread 5.2.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in RT-Thread up to version 5.0.2 affects the recvmsg function in the ls1c CAN Handler component. It occurs because the CAN driver does not validate the Data Length Code (DLC) value received in CAN frames. When the DLC value is between 9 and 15, it is used unchecked as the length for copying data into a stack-allocated buffer that only supports up to 8 bytes. This causes a stack-based buffer overflow, potentially leading to memory corruption or crashes.

The issue arises specifically in the Loongson ls1c CAN receive path, where the driver copies data from a global receive message structure into a local buffer without proper bounds checking. This overflow happens in the interrupt service routine when processing attacker-controlled CAN frames.

Impact Analysis

This vulnerability can lead to stack-based buffer overflow, which may cause memory corruption or system crashes on devices running the affected RT-Thread versions with the Loongson ls1c CAN controller enabled.

An attacker with local access and the ability to send crafted CAN frames can exploit this flaw to disrupt system stability, potentially leading to denial of service or unpredictable behavior.

Detection Guidance

This vulnerability can be detected by monitoring CAN frames on Loongson ls1cdev boards for abnormal Data Length Code (DLC) values. Specifically, frames with DLC values between 9 and 15 indicate potential exploitation attempts, as the vulnerable driver does not validate DLC values above 8.

Detection involves capturing CAN traffic and inspecting the DLC field of received frames. Commands or tools that can be used include CAN bus monitoring utilities that allow filtering or logging of frames with DLC > 8.

  • Use a CAN bus sniffer or monitoring tool compatible with your hardware to capture CAN frames.
  • Filter or search for CAN frames where the DLC field is greater than 8.
  • Example command (depending on your system and tools): `candump can0 | grep -E 'DLC=[9-9]|DLC=[1][0-5]'` to identify suspicious frames.

Note that the exact command depends on your CAN interface and monitoring tools; ensure you have access to the CAN channel on the affected device.

Mitigation Strategies

Immediate mitigation involves preventing the processing of CAN frames with DLC values greater than 8 to avoid triggering the stack-based buffer overflow.

Specifically, you should apply patches or updates that clamp or reject DLC values above 8 before processing received frames in the ls1c CAN driver.

  • Disable the CAN channel on affected Loongson ls1cdev boards if it is not required.
  • Apply any available patches or updates from RT-Thread that fix the DLC validation issue in the `recvmsg()` function.
  • If patches are not available, implement manual checks in the driver code to clamp DLC values to a maximum of 8 or reject frames with DLC > 8.

Since the exploit is publicly available, restricting local access to the affected system and monitoring for suspicious CAN frames is also recommended.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-14605 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14605. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart