Description
driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the Handle_0x27_SecurityAccess() function in iso14229.c that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte 0x27 SecurityAccess request that follows any earlier well-formed 0x27 message. The handler reads the SecurityAccess subFunction from recv_buf[1] without first checking that recv_len is at least 2, then computes the key-data length as the unsigned subtraction (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN); when recv_len equals 1 the result underflows to 65535 and is passed as args.len to the application's SecAccessValidateKey or SecAccessRequestSeed callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (0x10, 0x11, 0x14, 0x19, 0x22, 0x23, 0x28, and others) performs an explicit recv_len lower-bound check before indexing; Handle_0x27_SecurityAccess is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected.
Published: 2026-06-14
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an integer underflow in Handle_0x27_SecurityAccess, where the library reads the SecurityAccess subFunction from recv_buf[1] without first ensuring that the request length is at least two bytes. When an attacker sends a single‑byte 0x27 request after any earlier well‑formed 0x27 message, the code subtracts a base length from a length of one, producing an unsigned underflow to 65535. That large value is then passed to callback functions that iterate or copy that many bytes from the receive buffer, causing an out‑of‑bounds read and a crash. The effect is a classic buffer‑overflow scenario that can also leak memory beyond the buffer, aligning with CWE‑125 (Out‑of‑Bounds Read) and CWE‑191 (Integer Underflow)."

Affected Systems

The vulnerable implementation is contained in driftregion’s iso14229 library prior to version 0.9.0. Devices that ship this library in automotive Electronic Control Units, industrial controllers, or general IoT systems and expose UDS over CAN, OBD‑II, ISO‑TP, or DoIP normally operate the SecurityAccess routine in the default diagnostic session without any prior authentication. Any deployment that includes iso14229 up to 0.9.0 and exposes the 0x27 sub‑function over those transports is therefore affected.

Risk and Exploitability

With a CVSS score of 7.8 the flaw is classified as high severity. Although an EPSS score is not reported, the attack requires sending a crafted single‑byte packet that follows a valid SecurityAccess frame; this implies a relatively low to moderate exploitation probability in practice. The flaw is not yet listed in CISA’s KEV catalog, suggesting that large‑scale exploitation has not been documented. Nevertheless, an attacker on the vehicle‑bus network or with physical OBD‑II access can trigger the crash and potentially read memory, resulting in denial of service and transient information exposure.

Generated by OpenCVE AI on June 14, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest iso14229 release that applies bounds checking to Handle_0x27_SecurityAccess or apply the upstream patch that adds a minimum length check.
  • If upgrading is infeasible, reconfigure the diagnostic stack to reject or block 0x27 SecurityAccess requests from unauthenticated sessions, or ensure that such requests are only accepted after proper authentication.
  • Implement runtime monitoring or watchdog functionality to detect unexpected UDS server crashes and generate alerts or capture crash logs for forensic analysis.

Generated by OpenCVE AI on June 14, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 14 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Title Integer Underflow in ISO‑TP UDS SecurityAccess Handler Allows Crash and Potential Memory Disclosure

Sun, 14 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the Handle_0x27_SecurityAccess() function in iso14229.c that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte 0x27 SecurityAccess request that follows any earlier well-formed 0x27 message. The handler reads the SecurityAccess subFunction from recv_buf[1] without first checking that recv_len is at least 2, then computes the key-data length as the unsigned subtraction (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN); when recv_len equals 1 the result underflows to 65535 and is passed as args.len to the application's SecAccessValidateKey or SecAccessRequestSeed callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (0x10, 0x11, 0x14, 0x19, 0x22, 0x23, 0x28, and others) performs an explicit recv_len lower-bound check before indexing; Handle_0x27_SecurityAccess is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected.
Weaknesses CWE-125
CWE-191
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/V:D'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-06-14T17:38:16.326Z

Reserved: 2026-06-13T16:39:46.122Z

Link: CVE-2026-54413

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-14T18:17:20.943

Modified: 2026-06-14T18:17:20.943

Link: CVE-2026-54413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-14T19:30:14Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-191

    Integer Underflow (Wrap or Wraparound)