Cyber Resilience

CVE-2026-37537

High

Published: 01 May 2026

Published
01 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0022 12.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-37537 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-37537 affects the collin80/Open-SAE-J1939 library through commit 744024d4306bc387857dfce439558336806acb06 (dated 2023-03-08). The vulnerability is an integer underflow (CWE-190) in Transport Protocol Data Transfer handling, where line 23 computes uint8_t index = data[0] - 1. When data[0], the sequence number from a CAN frame, is 0, index underflows to 255. This triggers a subsequent out-of-bounds write at tp_dt->data[255*7 + i-1], reaching offset 1791 and exceeding the MAX_TP_DT buffer of 1785 bytes by 6 bytes. The issue carries a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

An attacker with adjacent network access, such as on the same CAN bus, can exploit this vulnerability with low attack complexity, requiring no privileges or user interaction. Exploitation leads to high-impact integrity and availability violations through the out-of-bounds write, potentially enabling memory corruption, denial of service, or code execution depending on the context, while confidentiality remains unaffected.

Mitigation details are available in the referenced advisories and repositories, including a vulnerability report at https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381, the original repository at https://github.com/collin80/Open-SAE-J1939, and a related fork at https://github.com/DanielMartensson/Open-SAE-J1939. Affected versions end at the specified 2023 commit, so practitioners should verify updates or patches in these sources.

EU & UK References

Vulnerability details

collin80/Open-SAE-J1939 thru commit 744024d4306bc387857dfce439558336806acb06 (2023-03-08) contains an integer underflow leading to out-of-bounds write in Transport Protocol Data Transfer handling. At line 23: uint8_t index = data[0] - 1. When data[0] (sequence number from CAN frame) is 0, index underflows to…

more

255. Subsequent write at tp_dt->data[255*7 + i-1] reaches offset 1791, exceeding the MAX_TP_DT buffer (1785 bytes) by 6 bytes.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The integer underflow leading to out-of-bounds write in the J1939 protocol handler is exploitable over adjacent network (CAN bus) with no privileges or interaction required, directly enabling exploitation of remote services (T1210) for initial access and client-side code execution or DoS (T1203) via memory corruption.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-21244Shared CWE-190
CVE-2025-21243Shared CWE-190
CVE-2026-40962Shared CWE-190
CVE-2025-30405Shared CWE-190
CVE-2025-47392Shared CWE-190
CVE-2025-21338Shared CWE-190
CVE-2026-5732Shared CWE-190
CVE-2026-8949Shared CWE-190
CVE-2026-41142Shared CWE-190
CVE-2026-30909Shared CWE-190

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates the sequence number input from the CAN frame to prevent integer underflow and subsequent out-of-bounds write in the Transport Protocol Data Transfer handling.

prevent

Implements memory protection mechanisms such as non-executable memory and address space randomization to mitigate exploitation of the out-of-bounds write beyond the MAX_TP_DT buffer.

preventrecover

Requires timely identification, reporting, and patching of the specific integer underflow flaw in the collin80/Open-SAE-J1939 library to eliminate the vulnerability.

References