CVE-2026-37536 - Vulnerability Details

- Stack Buffer Overflow in uds-c send_diagnostic_request Function

Description

miaofng/uds-c commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a (2016-10-05) contains a stack buffer overflow in send_diagnostic_request. A 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) receives memcpy at offset 1+pid_length with payload_length bytes. MAX_UDS_REQUEST_PAYLOAD_LENGTH=7, so 1+2+7=10 exceeds buffer by 4 bytes. No bounds check on payload_length before memcpy.

Published: 2026-05-01

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The uds-c library contains a stack buffer overflow in the send_diagnostic_request function. The payload buffer is only six bytes long, yet the implementation copies up to seven bytes of payload data without verifying the length, causing the buffer to be overwritten and memory corruption. As a result, this flaw could allow an attacker to corrupt stack data and potentially execute arbitrary code or crash the application. The flaw is classified as high severity with a CVSS score of 8.8, indicating a substantial impact if successfully exploited.

Affected Systems

The affected component is the uds‑c diagnostic library used in automotive communication stacks. The vulnerability exists in the commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a (dated 2016‑10‑05). Users relying on earlier releases of the library are at risk; any build that includes this commit without the later fix is affected.

Risk and Exploitability

The CVSS score of 8.8 signals a severe risk, and while the EPSS score is not available, the lack of a bounds check and the high severity suggest that the flaw could be exploited remotely via crafted diagnostic requests sent over a network or other communication interface. Based on the description, it is inferred that an attacker would need to send a specially crafted diagnostic packet that exceeds the payload length limit to trigger the overflow. The vulnerability is not yet listed in CISA KEV, but its high severity warrants immediate attention and mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the uds‑c library to the latest version that includes the buffer overflow fix (e.g., pull the latest commit from the openxc/uds‑c repository).
If an upgrade is not possible immediately, modify the send_diagnostic_request implementation to enforce payload_length ≤ MAX_DIAGNOSTIC_PAYLOAD_SIZE before performing the memcpy operation.
Restrict access to the UDS interface so that only trusted, authenticated sources can send diagnostic requests, minimizing the attack surface.

Generated by OpenCVE AI on May 2, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381
https://github.com/miaofng/uds-c
https://github.com/openxc/uds-c

History

Sat, 02 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		Stack Buffer Overflow in uds-c send_diagnostic_request Function

Fri, 01 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-121
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 01 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		miaofng/uds-c commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a (2016-10-05) contains a stack buffer overflow in send_diagnostic_request. A 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) receives memcpy at offset 1+pid_length with payload_length bytes. MAX_UDS_REQUEST_PAYLOAD_LENGTH=7, so 1+2+7=10 exceeds buffer by 4 bytes. No bounds check on payload_length before memcpy.
References		https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 https://github.com/miaofng/uds-c https://github.com/openxc/uds-c
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AC:L/AV:A/A:H/C:H/I:H/PR:N/S:U/UI:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-01T00:00:00.000Z

Updated: 2026-05-01T19:45:05.053Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37536

Vulnrichment

Updated: 2026-05-01T19:32:29.811Z

NVD

Status : Received

Published: 2026-05-01T17:16:23.373

Modified: 2026-05-01T20:16:23.323

Link: CVE-2026-37536

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T12:00:14Z

Weaknesses

CWE-121

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object