Cyber Posture

CVE-2026-37534

Critical

Published: 01 May 2026

Published
01 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-37534 is a critical-severity Wrap or Wraparound (CWE-191) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation directly mitigates the integer underflow by applying patches to commits beyond b6caf884df46435e539b1ecbf92b6c29b345bdfe in the Open-SAE-J1939 library.

SI-10 Information Input Validation good match
prevent

Information input validation ensures crafted sequence numbers in CAN frames are checked for validity, preventing the integer underflow leading to arbitrary memory writes.

SI-16 Memory Protection partial match
prevent

Memory protection mechanisms like address space layout randomization or stack canaries mitigate the impact of arbitrary memory corruption from the underflow.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Remote network-exploitable integer underflow enabling arbitrary memory writes and RCE/DoS with no auth or interaction directly maps to initial access via exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Integer underflow vulnerability in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (2025-11-30) in SAE_J1939_Read_Transport_Protocol_Data_Transfer,allows attackers to write to arbitrary memory via crafted sequence number from the CAN frame.

Deeper analysisAI

CVE-2026-37534 is an integer underflow vulnerability (CWE-191) in the Open-SAE-J1939 library through commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (dated 2025-11-30). The flaw exists in the SAE_J1939_Read_Transport_Protocol_Data_Transfer function, enabling attackers to perform arbitrary memory writes by supplying a crafted sequence number embedded in a CAN frame.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Any remote attacker able to transmit CAN frames to a vulnerable instance can trigger the integer underflow, achieving arbitrary memory corruption that compromises confidentiality, integrity, and availability—potentially resulting in remote code execution or denial of service.

Mitigation guidance and patches are referenced in the project's GitHub repository at https://github.com/DanielMartensson/Open-SAE-J1939. A related proof-of-concept is available at https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381. Security practitioners should update to commits beyond b6caf884df46435e539b1ecbf92b6c29b345bdfe and validate CAN frame handling in deployments.

Details

CWE(s)
CWE-191

CVEs Like This One

CVE-2026-33845Shared CWE-191
CVE-2025-2523Shared CWE-191
CVE-2025-3947Shared CWE-191
CVE-2025-0728Shared CWE-191
CVE-2024-10838Shared CWE-191
CVE-2025-67269Shared CWE-191
CVE-2025-29909Shared CWE-191
CVE-2026-33184Shared CWE-191
CVE-2025-29912Shared CWE-191
CVE-2025-21160Shared CWE-191

References