CVE-2026-14606
Received Received - Intake

Stack-Based Buffer Overflow in RT-Thread CAN Handler

Vulnerability report for CVE-2026-14606, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: VulDB

Description

A security flaw has been discovered in RT-Thread up to 5.0.2. Affected by this issue is the function CAN_Receive in the library bsp/synwit/libraries/SWM341_CSL/CMSIS/DeviceSupport/SWM341.h of the component SWM341 CAN Handler. Performing a manipulation results in stack-based buffer overflow. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-04
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
rt-thread rt-thread 5.0.2
rt-thread rt-thread 5.2.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14606 is a security flaw in the RT-Thread real-time operating system, specifically in the SWM341 CAN Handler component. The vulnerability occurs in the CAN_Receive function, where the system trusts the Data Length Code (DLC) value from CAN frames without validating it. This leads to a stack-based buffer overflow when the DLC exceeds the standard 8-byte limit, causing out-of-bounds memory writes.

The exploit involves sending a CAN frame with a DLC value between 9 and 15, which causes memory corruption during the interrupt service routine before the message is fully processed. This issue affects the low-level CAN driver and hardware abstraction layers, and it requires local access to the system to be exploited.

Impact Analysis

This vulnerability can lead to memory corruption through a stack-based buffer overflow, which may allow an attacker with local access to execute arbitrary code, cause system crashes, or disrupt normal operation of the RT-Thread system.

Because the vulnerability occurs in the CAN communication stack, it is particularly critical in environments where CAN traffic crosses trust boundaries, potentially allowing attackers to compromise system integrity or availability.

Detection Guidance

This vulnerability can be detected by monitoring CAN frames for abnormal Data Length Code (DLC) values exceeding the standard 8-byte limit. Specifically, look for CAN frames with DLC values between 9 and 15, which indicate potential exploitation attempts.

Detection can be performed by capturing CAN traffic and filtering frames with DLC > 8. For example, using CAN utilities on a Linux system:

  • Use 'candump' or 'can-utils' to capture CAN traffic.
  • Run a command like: `candump can0 | grep -E ' DLC: (9|1[0-5])'` to filter frames with DLC values from 9 to 15.

Additionally, code auditing or static analysis on the affected driver files (e.g., drv_can.c, SWM341_can.c) can help identify if DLC validation is missing.

Mitigation Strategies

Immediate mitigation involves preventing the processing of CAN frames with DLC values greater than 8 to avoid out-of-bounds memory writes.

Specifically, apply input validation in the CAN driver to clamp or reject DLC values above 8 before copying data buffers.

If a patch or update is available from the vendor or community, apply it promptly to fix the vulnerability.

In the absence of a vendor response, consider implementing custom filtering or validation in your CAN message handling code to discard suspicious frames.

Also, restrict local access to the affected system to trusted users only, since the attack requires local access.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-14606 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14606. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart