Description
Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length field in GVRET binary data is not properly validated, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted GVRET frames.
Published: 2026-05-01
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow occurs in the Open Vehicle Monitoring System 3 when processing GVRET frames, because the length field within the binary payload is not properly validated. This flaw can be exploited by a remote attacker who sends a crafted GVRET frame, potentially leading to a denial of service or the execution of arbitrary code on the target system. The description explicitly states that the vulnerability may allow attackers to cause arbitrary code execution, indicating a high severity risk to confidentiality, integrity, and availability of the vehicle monitoring service.

Affected Systems

The vulnerability affects Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005. No other vendors or products are listed in the available data, so the risk is confined to systems running this specific OVMS3 release.

Risk and Exploitability

With a CVSS score of 10, the weakness is rated as critical, and although an EPSS score is not available, the high CVSS combined with the potential for remote code execution suggests a high likelihood of exploitation. The attack vector is inferred to be remote, requiring an attacker to transmit malicious GVRET frames to the OVMS device. Because the software runs on vehicle modules, the impact could compromise vehicle control functions if the vulnerability is leveraged for code execution.

Generated by OpenCVE AI on May 2, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a newer version of OVMS that contains the buffer overflow fix
  • If a patch is unavailable, disable or block the GVRET interface on the device or restrict network access to the GVRET port
  • Monitor the system for suspicious traffic and apply additional network segmentation or firewall rules to mitigate potential exploitation

Generated by OpenCVE AI on May 2, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 08:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via GVRET Frame Overflow in OVMS3 3.3.005

Fri, 01 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-121
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length field in GVRET binary data is not properly validated, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted GVRET frames.
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T17:46:13.484Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37541

cve-icon Vulnrichment

Updated: 2026-05-01T17:46:07.425Z

cve-icon NVD

Status : Received

Published: 2026-05-01T17:16:24.083

Modified: 2026-05-01T18:16:15.197

Link: CVE-2026-37541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:00:14Z

Weaknesses