Description
Integer underflow vulnerability in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (2025-11-30) in SAE_J1939_Read_Transport_Protocol_Data_Transfer,allows attackers to write to arbitrary memory via crafted sequence number from the CAN frame.
Published: 2026-05-01
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an integer underflow in the function SAE_J1939_Read_Transport_Protocol_Data_Transfer of the Open SAE J1939 library. A crafted sequence number in a CAN frame can cause the function to compute a negative index, enabling attackers to write payload data to arbitrary memory locations. This arbitrary memory write could lead to remote code execution or other compromise of confidentiality, integrity, or availability. The weakness corresponds to integer underflow (CWE-191).

Affected Systems

Systems that rely on the Open SAE J1939 library before the commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (dated 2025-11-30) are affected. This includes any embedded or automotive systems that use SAE_J1939_Read_Transport_Protocol_Data_Transfer to parse CAN frames for J1939 traffic.

Risk and Exploitability

EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation data. However, the attack vector is inferred to be an attacker who can inject crafted CAN frames onto the vehicle or robotic network. Without a patch, the risk remains significant because the exploit achieves arbitrary memory corruption. No documented exploits are known at this time, but the description flags a serious risk.

Generated by OpenCVE AI on May 2, 2026 at 07:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (2025-11-30) or later to update Open‑SAE‑J1939.
  • If a patch cannot be applied immediately, restrict CAN traffic to trusted sources and isolate the network segment that feeds the vulnerable function.
  • Implement defensive checks in SAE_J1939_Read_Transport_Protocol_Data_Transfer to validate sequence numbers and enforce bounds before indexing.

Generated by OpenCVE AI on May 2, 2026 at 07:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 08:15:00 +0000

Type Values Removed Values Added
Title Integer underflow in Open‑SAE‑J1939 allows arbitrary memory write via crafted CAN frames

Fri, 01 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-191
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Integer underflow vulnerability in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (2025-11-30) in SAE_J1939_Read_Transport_Protocol_Data_Transfer,allows attackers to write to arbitrary memory via crafted sequence number from the CAN frame.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T19:06:00.671Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37534

cve-icon Vulnrichment

Updated: 2026-05-01T19:00:20.378Z

cve-icon NVD

Status : Received

Published: 2026-05-01T17:16:23.073

Modified: 2026-05-01T20:16:22.960

Link: CVE-2026-37534

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:00:14Z

Weaknesses