Description
openxc/isotp-c thru commit 5a5d19245f65189202719321facd49ce6f5d46ac (2021-08-09) contains an out-of-bounds read in the ISO-TP Single Frame receive handler, where the 4-bit payload length nibble is used directly as the memcpy size without validating it against the actual CAN data length. A malicious CAN frame with an oversized length nibble can cause memory reads beyond the buffer, allowing attackers to cause a denial of service, or gain sensitive information.
Published: 2026-05-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the ISO-TP Single Frame receive handler of the openxc/isotp-c library. An out-of-bounds read occurs when the 4‑bit payload length nibble is used directly as the size argument to memcpy without being validated against the actual CAN data length. This flaw allows a crafted CAN frame with an inflated length nibble to trigger reads beyond the intended buffer, which can lead to a denial of service or disclosure of memory contents.

Affected Systems

Any system that incorporates the openxc/isotp-c source code prior to commit 5a5d19245f65189202719321facd49ce6f5d46ac (dated 2021‑08‑09) is affected. This includes embedded automotive components, diagnostic tools, and other software that leverages this library for ISO‑TP communication over CAN.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium to high severity level. Exploit probability is not quantified by EPSS and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be a maliciously crafted CAN frame sent directly to the device running the vulnerable library. Successful exploitation would require the attacker to have a means to inject such frames onto the target's CAN bus, but no additional privilege escalation is implied by the data provided.

Generated by OpenCVE AI on May 2, 2026 at 07:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the openxc/isotp‑c library to a version that includes the fix introduced in commit 5a5d19245f65189202719321facd49ce6f5d46ac or later.
  • Modify the receive logic to validate the payload length nibble against the actual CAN frame length before copying data into the buffer.
  • Restrict access to the CAN bus interface, applying network segmentation or firewall rules to block unexpected or malformed frames from untrusted sources.

Generated by OpenCVE AI on May 2, 2026 at 07:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 08:15:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read in ISO‑TP Single Frame Handler Can Cause DoS or Information Disclosure

Fri, 01 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description openxc/isotp-c thru commit 5a5d19245f65189202719321facd49ce6f5d46ac (2021-08-09) contains an out-of-bounds read in the ISO-TP Single Frame receive handler, where the 4-bit payload length nibble is used directly as the memcpy size without validating it against the actual CAN data length. A malicious CAN frame with an oversized length nibble can cause memory reads beyond the buffer, allowing attackers to cause a denial of service, or gain sensitive information.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AC:L/AV:A/A:H/C:L/I:N/PR:N/S:U/UI:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T19:45:11.301Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37535

cve-icon Vulnrichment

Updated: 2026-05-01T19:32:44.346Z

cve-icon NVD

Status : Received

Published: 2026-05-01T17:16:23.210

Modified: 2026-05-01T20:16:23.150

Link: CVE-2026-37535

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:00:14Z

Weaknesses