CVE-2026-37535
Published: 01 May 2026
Summary
CVE-2026-37535 is a high-severity Out-of-bounds Read (CWE-125) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-37535, published on 2026-05-01, is an out-of-bounds read vulnerability (CWE-125) affecting the openxc/isotp-c library through commit 5a5d19245f65189202719321facd49ce6f5d46ac (2021-08-09). The flaw resides in the ISO-TP Single Frame receive handler, where a 4-bit payload length nibble extracted from a CAN frame is passed directly as the memcpy size parameter without validation against the actual CAN data length. This leads to potential memory reads beyond the intended buffer boundaries. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H).
An attacker with adjacent network access, such as physical proximity to the CAN bus, can exploit this vulnerability with low attack complexity and no required privileges or user interaction. By crafting and transmitting a malicious CAN frame featuring an oversized length nibble, the attacker triggers the out-of-bounds read, which can result in a denial of service through high availability impact or disclosure of sensitive information via low confidentiality impact.
Mitigation details and further technical analysis are available in the referenced advisories and source code, including a GitHub Gist at https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381, the openxc/isotp-c repository at https://github.com/openxc/isotp-c, and the specific receive.c file at https://github.com/openxc/isotp-c/blob/master/src/isotp/receive.c.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26688
Vulnerability details
openxc/isotp-c thru commit 5a5d19245f65189202719321facd49ce6f5d46ac (2021-08-09) contains an out-of-bounds read in the ISO-TP Single Frame receive handler, where the 4-bit payload length nibble is used directly as the memcpy size without validating it against the actual CAN data length. A malicious…
more
CAN frame with an oversized length nibble can cause memory reads beyond the buffer, allowing attackers to cause a denial of service, or gain sensitive information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in CAN/ISO-TP handler enables crafted frame to crash system, directly facilitating application/system exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the 4-bit payload length nibble from CAN frames against actual data length to prevent out-of-bounds memcpy.
Implements runtime memory protections to restrict unauthorized out-of-bounds reads beyond buffer boundaries triggered by oversized length nibble.
Mandates identification, reporting, and remediation of the specific out-of-bounds read flaw in the isotp-c library through patching or upgrades.