# Summary of Buffer Overflow Vulnerabilities in Automotive CAN Protocol Libraries ## Vulnerability Overview This report discloses buffer overflow vulnerabilities present in multiple automotive CAN protocol libraries, including types such as integer underflow, stack overflow, heap overflow, and integer overflow. Most of these vulnerabilities have extremely high CVSS scores (9.8), indicating a high severity level. ## Scope of Impact - **Affected Libraries**: Open-SAE-J1939, openxc/isotp-c, miaofng/uds-c, collin80/Open-SAE-J1939, socketcand, cannelloni, OpenAMP, OVM3 - **Affected Systems**: Automotive ECUs, CAN bus gateways, vehicle diagnostic tools - **Impact Scenarios**: Production vehicles, industrial networks, research platforms ## Remediation Solutions 1. **Open-SAE-J1939**: Fix the `size - overhead` calculation logic to prevent integer underflow and stack overflow. 2. **openxc/isotp-c**: Add checks for cumulative payload size to ensure it does not exceed the receive buffer. 3. **miaofng/uds-c**: Add length validation before `memcpy`. 4. **collin80/Open-SAE-J1939**: Fix packet length calculation to prevent integer overflow. 5. **socketcand**: Validate the length of the CAN ID string. 6. **cannelloni**: Add boundary checks to prevent buffer overflow. 7. **OpenAMP**: Fix arithmetic operations during ELF loading to prevent integer overflow. 8. **OVM3**: Add upper bound checks to prevent stack overflow. ## Detailed Vulnerability Information | CVE | Library/Product | Version | Type | CVSS | |-----|-----------------|---------|------|------| | CVE-2026-37534 | Open-SAE-J1939 | ≤ b6caf884 | Integer Underflow - OOB Write | 9.8 | | CVE-2026-42467 | Open-SAE-J1939 | ≤ b6caf884 | Stack Buffer Overflow | 9.8 | | CVE-2026-37535 | openxc/isotp-c | ≤ Sa5d1924 | OOB Read | 7.5 | | CVE-2026-37536 | miaofng/uds-c | commit e506334e | Stack Buffer Overflow | 9.8 | | CVE-2026-37537 | collin80/Open-SAE-J1939 | ≤ 744024d4 | Integer Overflow | 9.8 | | CVE-2026-37538 | socketcand | 0.4.2 | Stack Buffer Overflow | 9.8 | | CVE-2026-37539 | cannelloni | 2.0.0 | Heap Buffer Overflow (CAN Frame Parsing) | 9.8 | | CVE-2026-37540 | OpenAMP | 2025.10.0 | Integer Overflow - ELF Loader | 9.8 | | CVE-2026-37541 | OVM3 | 3.3.005 | Stack Overflow - GVRET Format | 8.8 | | CVE-2026-42468 | OVM3 | 3.3.005 | Stack Overflow - PCAP Format | 8.8 | | CVE-2026-42469 | OVM3 | 3.3.005 | Stack Overflow - CANswitch Format | 8.8 | ## Specific Vulnerability Descriptions ### CVE-2026-37534 / CVE-2026-42467 — Open-SAE-J1939 When receiving malformed frames, the J1939 message parser's `size - overhead` calculation wraps around, resulting in out-of-bounds values. A second, independent stack buffer overflow is tracked as CVE-2026-42467. **Attack Vector**: Forged CAN frames sent via network or local bus. ### CVE-2026-37535 — openxc/isotp-c ISO 15765-2 multi-frame reassembly in `isotp-c` lacks a check to ensure the cumulative payload fits within the receive buffer, leading to out-of-bounds reads. ### CVE-2026-37536 — miaofng/uds-c The UDS (ISO 14229) request builder in `uds.c` copies service data via `memcpy` into a fixed-size stack buffer. The length parameter is taken directly from the request structure, which is attacker-controllable, and no boundary checks are performed. ### CVE-2026-37537 — collin80/Open-SAE-J1939 Packet length calculation overflows, producing a value small enough to pass allocation but large enough to blow past the subsequent `memcpy` buffer. Heap corruption follows. ### CVE-2026-37538 — socketcand In `socketcand.c`, `main()` copies the CAN frame identifier string into a stack buffer. The length is never validated. A sufficiently long CAN ID will directly overwrite memory past the end of the buffer. ### CVE-2026-37539 — cannelloni `parseCANFrame()` in `parser.cpp` handles CAN frames tunneled via UDP, TCP, or SCTP. Frame counts and per-frame data lengths are attacker-controlled. No boundary checks are performed before writing frame data to the receive buffer. Network reachable, no authentication required, CVSS 9.8. ### CVE-2026-37540 — OpenAMP ELF Loader OpenAMP 2025.10.0 processes firmware via ELF images remotely. When processing `PT_LOAD` segments, the size calculation for the target region uses 32-bit arithmetic on fields pulled directly from the ELF header. After a multiplication overflow, the result is used to gate the `memcpy` length check. A forged firmware image corrupts host memory during the loading sequence. ### CVE-2026-37541 / CVE-2026-42468 / CVE-2026-42469 — OVM3 Three independent CAN log parsers in Open Vehicle Monitoring System 3 v3.3.005, each containing the same type of error: - **CVE-2026-37541**: `canformat_gvret.cpp`, GVRET log format - **CVE-2026-42468**: `canformat_pcap.cpp`, PCAP/pcapng format - **CVE-2026-42469**: `canformat_canswitch.cpp`, CANswitch log format In each case, field lengths from the log file header drive `memcpy` operations into fixed-size stack buffers. There are no upper bound checks. Forged log files