Description
Buffer overflow vulnerability in cannelloni v2.0.0 in CAN frame parsing in parser.cpp in function parseCANFrame, and decoder.cpp in function decodeFrame allowing remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted CAN FD frames.
Published: 2026-05-01
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A classic buffer overflow in the CAN frame parsing logic of cannelloni makes the application overwrite memory when handling malformed CAN FD frames. The vulnerability allows attackers to crash the service, causing a denial of service, or to execute arbitrary code if the memory overwrite grants sufficient control. The weakness is a stack-based buffer overflow, which directly violates integrity by overwriting return addresses or function pointers. The impact range includes any system running the vulnerable cane version exposed to external CAN traffic.

Affected Systems

The affected product is cannelloni version 2.0.0. No other vendors or products are listed by the CNA, so any system running that exact version of the software, particularly where it processes external CAN frames, is susceptible.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, and although the EPSS score is not available, the lack of a KEV listing does not mitigate the high risk. The attack vector is inferred to be remote, as attackers craft malicious CAN FD frames that the vulnerable parser processes. To exploit, an attacker must be able to inject such frames towards the vulnerable system, a realistic scenario for embedded automotive or industrial control environments that interface with CAN networks.

Generated by OpenCVE AI on May 2, 2026 at 07:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade cannelloni to a patched release that resolves the buffer overflow.
  • Disable CAN FD support or restrict it to trusted traffic until a fix is applied.
  • Apply network filtering or segmentation to isolate CAN traffic and prevent attackers from reaching the vulnerable interface.

Generated by OpenCVE AI on May 2, 2026 at 07:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-121
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Buffer overflow vulnerability in cannelloni v2.0.0 in CAN frame parsing in parser.cpp in function parseCANFrame, and decoder.cpp in function decodeFrame allowing remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted CAN FD frames.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T17:38:01.403Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37539

cve-icon Vulnrichment

Updated: 2026-05-01T17:37:57.066Z

cve-icon NVD

Status : Received

Published: 2026-05-01T17:16:23.803

Modified: 2026-05-01T18:16:14.903

Link: CVE-2026-37539

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:00:14Z

Weaknesses