Cyber Resilience

CVE-2026-37535

High

Published: 01 May 2026

Published
01 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS Score 0.0002 5.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-37535 is a high-severity Out-of-bounds Read (CWE-125) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-37535, published on 2026-05-01, is an out-of-bounds read vulnerability (CWE-125) affecting the openxc/isotp-c library through commit 5a5d19245f65189202719321facd49ce6f5d46ac (2021-08-09). The flaw resides in the ISO-TP Single Frame receive handler, where a 4-bit payload length nibble extracted from a CAN frame is passed directly as the memcpy size parameter without validation against the actual CAN data length. This leads to potential memory reads beyond the intended buffer boundaries. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H).

An attacker with adjacent network access, such as physical proximity to the CAN bus, can exploit this vulnerability with low attack complexity and no required privileges or user interaction. By crafting and transmitting a malicious CAN frame featuring an oversized length nibble, the attacker triggers the out-of-bounds read, which can result in a denial of service through high availability impact or disclosure of sensitive information via low confidentiality impact.

Mitigation details and further technical analysis are available in the referenced advisories and source code, including a GitHub Gist at https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381, the openxc/isotp-c repository at https://github.com/openxc/isotp-c, and the specific receive.c file at https://github.com/openxc/isotp-c/blob/master/src/isotp/receive.c.

EU & UK References

Vulnerability details

openxc/isotp-c thru commit 5a5d19245f65189202719321facd49ce6f5d46ac (2021-08-09) contains an out-of-bounds read in the ISO-TP Single Frame receive handler, where the 4-bit payload length nibble is used directly as the memcpy size without validating it against the actual CAN data length. A malicious…

more

CAN frame with an oversized length nibble can cause memory reads beyond the buffer, allowing attackers to cause a denial of service, or gain sensitive information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

OOB read in CAN/ISO-TP handler enables crafted frame to crash system, directly facilitating application/system exploitation for endpoint DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23388Shared CWE-125
CVE-2025-24265Shared CWE-125
CVE-2025-21717Shared CWE-125
CVE-2026-6918Shared CWE-125
CVE-2026-25942Shared CWE-125
CVE-2024-46670Shared CWE-125
CVE-2026-48132Shared CWE-125
CVE-2026-22023Shared CWE-125
CVE-2025-1673Shared CWE-125
CVE-2026-43006Shared CWE-125

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the 4-bit payload length nibble from CAN frames against actual data length to prevent out-of-bounds memcpy.

prevent

Implements runtime memory protections to restrict unauthorized out-of-bounds reads beyond buffer boundaries triggered by oversized length nibble.

prevent

Mandates identification, reporting, and remediation of the specific out-of-bounds read flaw in the isotp-c library through patching or upgrades.

References