Description
CANBoat through 6.22, fixed in commit a5a22b7, contains an off-by-one global buffer overflow in the searchForPgn() function in analyzer/pgn.c that allows remote attackers to crash the application. Attackers can deliver a crafted NMEA-2000 message with an out-of-range PGN value over CAN bus or N2K-over-IP to trigger an out-of-bounds array access and denial of service.
Published: 2026-06-25
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an off‑by‑one out‑of‑bounds array access in the searchForPgn() routine of CANBoat. This flaw allows attackers to crash the application, resulting in a denial of service to the CAN‑bus interface and any dependent systems. The weakness is classified as CWE‑193, indicating a classic off‑by‑one error.

Affected Systems

CANBoat versions up to and including 6.22 are affected. The problem exists in the analyzer/pgn.c component of the software. A fix is provided in the commit a5a22b74b9ace which addresses the buffer overflow.

Risk and Exploitability

The CVSS score of 7 indicates noteworthy severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the crash remotely by sending a crafted NMEA‑2000 message with an out‑of‑range PGN value over CAN bus or N2K‑over‑IP. The attack requires network access to the CAN‑bus interface, but does not require special credentials.

Generated by OpenCVE AI on June 25, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update CANBoat to the version containing commit a5a22b74b9ac5688019cba62669df08562cebd6f or later, ensuring the off‑by‑one buffer overflow fix is applied.
  • Rebuild and redeploy the updated CANBoat binaries on all affected nodes, then restart the service to use the patched code.
  • Confirm that the service no longer crashes when receiving invalid PGN values by reproducing the attack vector in a controlled environment or using automated monitoring for unexpected terminations.

Generated by OpenCVE AI on June 25, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Canboat
Canboat canboat
Vendors & Products Canboat
Canboat canboat

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description CANBoat through 6.22, fixed in commit a5a22b7, contains an off-by-one global buffer overflow in the searchForPgn() function in analyzer/pgn.c that allows remote attackers to crash the application. Attackers can deliver a crafted NMEA-2000 message with an out-of-range PGN value over CAN bus or N2K-over-IP to trigger an out-of-bounds array access and denial of service.
Title CANBoat - Off-by-One Global Buffer Overflow in searchForPgn()
Weaknesses CWE-193
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-14T21:34:30.370Z

Reserved: 2026-06-23T01:24:27.652Z

Link: CVE-2026-56790

cve-icon Vulnrichment

Updated: 2026-06-25T21:36:12.367Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:36:29Z

Weaknesses