Description
AGL agl-service-can-low-level thru 17.1.12 contains a heap buffer over-read in the isotp-c library. In isotp_continue_receive (receive.c:87-89), the payload_length for a Single Frame is extracted from a 4-bit nibble in the CAN frame data, yielding values 0-15. However, a standard CAN frame is only 8 bytes, with payload starting at data[1] (7 bytes available). When payload_length exceeds the available data (e.g., nibble=15 but only 7 payload bytes exist), memcpy(message.payload, &data[1], payload_length) reads up to 8 bytes past the end of the data buffer.
Published: 2026-05-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap buffer over‑read exists in the isotp-c library’s isotp_continue_receive function, which extracts a 4‑bit payload length from a CAN frame. The function reads up to eight bytes beyond the end of the available data buffer when the extracted length is larger than the actual payload. This allows an adversary to read arbitrary memory contents from the heap and potentially reveal sensitive information.

Affected Systems

The vulnerability is present in AGL agl-service-can-low-level through version 17.1.12, a component used by automotive Linux systems that expose CAN bus services.

Risk and Exploitability

The issue has a CVSS score of 7.1. EPSS is not available and the flaw is not listed in CISA KEV. An attacker who can inject CAN frames (for example, via a compromised vehicle interface) can send a crafted Single Frame message with an inflated payload length nibble, triggering the over‑read. Since the service does not validate the length against the actual data, the exploitation requires only local or remote access to the CAN network and does not rely on privilege escalation.

Generated by OpenCVE AI on May 2, 2026 at 07:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update agl-service-can-low-level to version 17.1.13 or later where the over‑read has been fixed.
  • If an update is not available, apply a patch that replaces the memcpy call with a bounds‑checked copy that limits the source length to the real payload size.
  • As a temporary defense, block or sandbox incoming CAN frames until the fix or patch can be deployed.

Generated by OpenCVE AI on May 2, 2026 at 07:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 08:15:00 +0000

Type Values Removed Values Added
Title Heap Buffer Over‑Read in AGL isotp-c Library Allows Arbitrary Memory Disclosure

Fri, 01 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-126
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description AGL agl-service-can-low-level thru 17.1.12 contains a heap buffer over-read in the isotp-c library. In isotp_continue_receive (receive.c:87-89), the payload_length for a Single Frame is extracted from a 4-bit nibble in the CAN frame data, yielding values 0-15. However, a standard CAN frame is only 8 bytes, with payload starting at data[1] (7 bytes available). When payload_length exceeds the available data (e.g., nibble=15 but only 7 payload bytes exist), memcpy(message.payload, &data[1], payload_length) reads up to 8 bytes past the end of the data buffer.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AC:L/AV:A/A:H/C:L/I:N/PR:N/S:U/UI:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T19:45:17.749Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37532

cve-icon Vulnrichment

Updated: 2026-05-01T19:33:49.161Z

cve-icon NVD

Status : Received

Published: 2026-05-01T17:16:22.897

Modified: 2026-05-01T20:16:22.813

Link: CVE-2026-37532

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:00:14Z

Weaknesses