CVE-2026-37537
Published: 01 May 2026
Summary
CVE-2026-37537 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-37537 affects the collin80/Open-SAE-J1939 library through commit 744024d4306bc387857dfce439558336806acb06 (dated 2023-03-08). The vulnerability is an integer underflow (CWE-190) in Transport Protocol Data Transfer handling, where line 23 computes uint8_t index = data[0] - 1. When data[0], the sequence number from a CAN frame, is 0, index underflows to 255. This triggers a subsequent out-of-bounds write at tp_dt->data[255*7 + i-1], reaching offset 1791 and exceeding the MAX_TP_DT buffer of 1785 bytes by 6 bytes. The issue carries a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
An attacker with adjacent network access, such as on the same CAN bus, can exploit this vulnerability with low attack complexity, requiring no privileges or user interaction. Exploitation leads to high-impact integrity and availability violations through the out-of-bounds write, potentially enabling memory corruption, denial of service, or code execution depending on the context, while confidentiality remains unaffected.
Mitigation details are available in the referenced advisories and repositories, including a vulnerability report at https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381, the original repository at https://github.com/collin80/Open-SAE-J1939, and a related fork at https://github.com/DanielMartensson/Open-SAE-J1939. Affected versions end at the specified 2023 commit, so practitioners should verify updates or patches in these sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26690
Vulnerability details
collin80/Open-SAE-J1939 thru commit 744024d4306bc387857dfce439558336806acb06 (2023-03-08) contains an integer underflow leading to out-of-bounds write in Transport Protocol Data Transfer handling. At line 23: uint8_t index = data[0] - 1. When data[0] (sequence number from CAN frame) is 0, index underflows to…
more
255. Subsequent write at tp_dt->data[255*7 + i-1] reaches offset 1791, exceeding the MAX_TP_DT buffer (1785 bytes) by 6 bytes.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The integer underflow leading to out-of-bounds write in the J1939 protocol handler is exploitable over adjacent network (CAN bus) with no privileges or interaction required, directly enabling exploitation of remote services (T1210) for initial access and client-side code execution or DoS (T1203) via memory corruption.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates the sequence number input from the CAN frame to prevent integer underflow and subsequent out-of-bounds write in the Transport Protocol Data Transfer handling.
Implements memory protection mechanisms such as non-executable memory and address space randomization to mitigate exploitation of the out-of-bounds write beyond the MAX_TP_DT buffer.
Requires timely identification, reporting, and patching of the specific integer underflow flaw in the collin80/Open-SAE-J1939 library to eliminate the vulnerability.