Multiple Memory Corruption Flaws Disclosed in Automotive CAN Libraries
Innora Security Research disclosed 11 vulnerabilities across eight automotive CAN-related libraries and tools, including Open-SAE-J1939, isotp-c, uds-c, socketcand, cannelloni, OpenAMP, and OVMS3. The issues span integer underflow and overflow, stack and heap buffer overflows, and other out-of-bounds memory access conditions affecting software used in ECUs, CAN gateways, diagnostic tooling, industrial networks, and research platforms. The report said several flaws are reachable through crafted CAN frames, tunneled CAN traffic, malformed firmware images, or malicious log files, with many assigned CVSS 9.8 severity due to the potential for remote memory corruption and service disruption.
One of the newly tracked issues, CVE-2026-37537, affects collin80/Open-SAE-J1939 through commit 744024d4306bc387857dfce439558336806acb06. In the library's Transport Protocol Data Transfer handling, a CAN frame with data[0] = 0 causes the calculation uint8_t index = data[0] - 1 to underflow to 255, leading to an out-of-bounds write past the allocated MAX_TP_DT buffer. The vulnerability was assigned CVSS v3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, indicating an adjacent-network attack path with high integrity and availability impact, and it underscores broader unsafe length handling and unchecked memory operations across the affected CAN software ecosystem.
Timeline
May 1, 2026
CVE-2026-37537 submitted to MITRE for Open-SAE-J1939 flaw
CVE-2026-37537 was received by cve@mitre.org on 2026-05-01 for an Open-SAE-J1939 integer underflow in Transport Protocol Data Transfer handling. The flaw can cause an out-of-bounds write when a CAN frame sequence number of 0 makes `data[0] - 1` underflow to 255.
Apr 30, 2026
Innora Security Research discloses 11 CAN-related vulnerabilities
Innora Security Research publicly disclosed 11 vulnerabilities affecting eight automotive CAN-related libraries and tools, including Open-SAE-J1939, on 2026-04-30. The report described multiple memory-safety flaws such as integer underflow, integer overflow, and buffer overflows across projects used in ECUs, CAN gateways, diagnostic tooling, and related environments.
Mar 8, 2023
Affected Open-SAE-J1939 codebase last updated before vulnerable range cutoff
The vulnerable Open-SAE-J1939 range was identified as extending through commit 744024d4306bc387857dfce439558336806acb06, dated 2023-03-08. This commit serves as the latest referenced point for affected code in the CVE record.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Two Buffer Overflows in OVMS3 Expose Vehicle Monitoring Systems to DoS and RCE
Two high-severity vulnerabilities have been disclosed in Open Vehicle Monitoring System 3 (**OVMS3**) version `3.3.005`, both stemming from improper input validation that can lead to buffer overflows. `CVE-2026-42469` affects `canformat_canswitch.cpp`, where the software fails to properly validate a CANswitch DLC value; a remote attacker can send crafted CANswitch frames to trigger a denial of service and potentially achieve arbitrary code execution. The flaw is tracked as **CWE-121** and carries a CVSS v3.1 vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H`, indicating network-reachable exploitation with no privileges or user interaction required and a high impact on availability. A second flaw, `CVE-2026-42468`, affects `canformat_pcap.cpp`, where OVMS3 does not correctly validate the `phdr.len` field while parsing PCAP input. An attacker can use crafted PCAP data to cause a denial of service and potentially execute arbitrary code; the updated CVSS v3.1 scoring indicates user interaction is required and that confidentiality, integrity, and availability may all be affected. The CVE records were updated to refine severity details, add **CWE-121** classification, and, for `CVE-2026-42469`, include a public GitHub Gist reference.
Yesterday
High-Severity Buffer Bounds Flaw in Portwell Engineering Toolkits Driver (CVE-2026-3437)
CISA published an ICS advisory for **CVE-2026-3437**, a **high-severity** memory safety issue (*CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer*) affecting **Portwell Engineering Toolkits v4.8.2**. The flaw is in the Portwell Engineering Toolkits **driver** and could allow a **local, authenticated attacker** to **read and write arbitrary memory**, enabling **privilege escalation** or **denial of service**; CISA scored it **CVSS v3.1 8.8 (High)** with a local attack vector and low complexity. The CVE record corroborates the same impact and affected version, and additionally lists a **CVSS v4.0** vector consistent with high impact to confidentiality, integrity, and availability. The vulnerability was reported to CISA by **Jason Huang** of **TXOne Networks** (Cyber Threat & Product Defense Center), and the advisory notes deployment across critical infrastructure environments (including **Energy** and **Critical Manufacturing**) with worldwide exposure.
1 months ago
Microsoft Discloses Linux Kernel Flaws in TEQL and USB CAN Drivers
Microsoft published security advisories for two Linux kernel vulnerabilities tracked as **`CVE-2026-23277`** and **`CVE-2026-23334`**. The first issue affects the networking stack, where **`net/sched: teql`** received a fix for a **NULL pointer dereference** in **`iptunnel_xmit`** during TEQL slave transmission, indicating a kernel-level flaw that could lead to instability or denial-of-service conditions. A second advisory, **`CVE-2026-23334`**, affects the CAN USB driver path, with a fix in **`can: usb: f81604`** to properly handle **short interrupt URB messages**. Together, the disclosures highlight separate low-level Linux kernel defects in networking and device-driver components that require patching through vendor security updates.
1 months ago