This vulnerability arises from an integer underflow in the Transport Protocol Data Transfer handling of the Open‑SAE‑J1939 library. In one code path the sequence number extracted from a CAN frame is subtracted by one without validation that it is non‑zero. When the sequence number is zero the calculation wraps around to 255, and subsequent writes target an offset beyond the intended buffer. This buffer over‑write can corrupt adjacent memory and, in certain deployment contexts, may result in crashes or arbitrary code execution or privilege escalation. The weakness is a classic integer underflow leading to out‑of‑bounds memory access.

The affected code is located in the collin80/Open‑SAE‑J1939 repository and its fork by DanielMartensson. The bug exists in commits up to 744024d4306bc387857dfce439558336806acb06 released on March 8 2023. No vendor products or version numbers are listed; the code is open source and typically integrated into automotive CAN J1939 implementations. Systems that link against this library and process externally supplied CAN frames are potentially vulnerable.

This flaw scores 8.1 on the CVSS scale, marking it as high severity. Because the EPSS score is unavailable and the CVE is not yet catalogued by CISA as known exploited, the exact likelihood of exploitation is undetermined, but the nature of a buffer overflow suggests that local or remote attackers with access to the vehicle’s CAN bus could trigger it. The attack works by sending a CAN frame whose sequence number is zero, causing the library to underflow the index and overwrite memory beyond the TP_DT buffer. If the vulnerable process executes with elevated privileges, this could lead to arbitrary code execution or privilege escalation. A patch is available in updated commits, but in its absence, defensive coding is required.