CVE-2026-37532
Published: 01 May 2026
Summary
CVE-2026-37532 is a high-severity Buffer Over-read (CWE-126) vulnerability in Automotivelinux (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of the CAN frame payload_length nibble (0-15) against the 7-byte available payload to prevent the heap buffer over-read in memcpy.
Mandates timely flaw remediation for the specific heap buffer over-read vulnerability in the isotp-c library of agl-service-can-low-level.
Implements runtime memory protections like heap hardening and bounds checking to mitigate exploitation of the buffer over-read leading to DoS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The heap buffer over-read in the CAN service allows crafted adjacent-network frames to trigger crashes, directly enabling Endpoint Denial of Service via Application or System Exploitation.
NVD Description
AGL agl-service-can-low-level thru 17.1.12 contains a heap buffer over-read in the isotp-c library. In isotp_continue_receive (receive.c:87-89), the payload_length for a Single Frame is extracted from a 4-bit nibble in the CAN frame data, yielding values 0-15. However, a standard CAN…
more
frame is only 8 bytes, with payload starting at data[1] (7 bytes available). When payload_length exceeds the available data (e.g., nibble=15 but only 7 payload bytes exist), memcpy(message.payload, &data[1], payload_length) reads up to 8 bytes past the end of the data buffer.
Deeper analysisAI
CVE-2026-37532 is a heap buffer over-read vulnerability (CWE-126) affecting AGL agl-service-can-low-level versions through 17.1.12. The flaw resides in the isotp-c library, specifically in the isotp_continue_receive function (receive.c:87-89). Here, the payload_length for a Single Frame is derived from a 4-bit nibble in the CAN frame data, permitting values from 0 to 15. A standard CAN frame, however, offers only 8 bytes total, with payload starting at data[1] and thus 7 bytes available. When payload_length exceeds this—such as a nibble value of 15—the subsequent memcpy(message.payload, &data[1], payload_length) reads up to 8 bytes past the end of the data buffer.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H), indicating exploitation requires adjacent network access with low complexity, no privileges, and no user interaction. An attacker on the adjacent network, such as via physical proximity to the CAN bus, can trigger the over-read by sending a crafted CAN frame. This results in low confidentiality impact but high availability impact, likely enabling denial-of-service through application crashes or instability.
Advisories and potential patches are documented in the Automotive Grade Linux Gerrit repository for agl-service-can-low-level (https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level) and a related GitHub Gist (https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643), which provide source code details and analysis of the issue.
Details
- CWE(s)