Cyber Resilience

CVE-2026-37530

HighUpdated

Published: 01 May 2026

Published
01 May 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 5.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-37530 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Linuxfoundation Automotive Grade Linux. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-37530 is a stack buffer overflow vulnerability (CWE-121) affecting AGL agl-service-can-low-level versions through 17.1.12, specifically in the uds-c library. The issue resides in the send_diagnostic_request function within uds.c, where a 6-byte stack buffer (defined by MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) is allocated, but up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) are copied via memcpy starting at an offset of 1+pid_length (2-3 bytes). This results in 1-4 bytes of controlled stack overflow due to the lack of bounds checking on the uint8_t payload_length field against the destination buffer. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and was published on 2026-05-01.

A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted UDS diagnostic request to a vulnerable instance. On 32-bit ARM automotive ECUs lacking stack canaries, the controlled overflow enables overwriting the return address, potentially leading to remote code execution (RCE).

Mitigation details and related resources are available in the provided references, including the AGL agl-service-can-low-level Gerrit repository at https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level and a GitHub Gist at https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643.

EU & UK References

Vulnerability details

AGL agl-service-can-low-level thru 17.1.12 contains a stack buffer overflow in the uds-c library. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) via memcpy at an offset of 1+pid_length (2-3 bytes),…

more

resulting in 1-4 bytes of controlled stack overflow. The payload_length field (uint8_t) has no bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries, this can lead to return address overwrite and RCE.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated stack buffer overflow in a network-accessible service (UDS diagnostic request) enabling RCE via return address overwrite directly maps to exploitation of public-facing applications for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-37531Same product: Linuxfoundation Automotive Grade Linux
CVE-2026-37526Same product: Linuxfoundation Automotive Grade Linux
CVE-2026-37532Same product: Linuxfoundation Automotive Grade Linux
CVE-2026-37525Same product: Linuxfoundation Automotive Grade Linux
CVE-2025-68137Same vendor: Linuxfoundation
CVE-2026-33701Same vendor: Linuxfoundation
CVE-2024-24421Same vendor: Linuxfoundation
CVE-2026-23995Same vendor: Linuxfoundation
CVE-2026-24124Same vendor: Linuxfoundation
CVE-2026-22790Same vendor: Linuxfoundation

Affected Assets

linuxfoundation
automotive grade linux
≤ 17.1.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires bounds checking and validation of UDS diagnostic request payload_length fields to prevent memcpy from overflowing the 6-byte stack buffer.

prevent

Implements stack canaries and memory safeguards to detect or block controlled stack overflows that overwrite return addresses on 32-bit ARM ECUs lacking such protections.

prevent

Mandates timely remediation of the specific stack buffer overflow flaw in agl-service-can-low-level uds-c library through patching or code fixes.

References