Cyber Resilience

CVE-2026-37539

Critical

Published: 01 May 2026

Published
01 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0054 41.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-37539 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-37539 is a buffer overflow vulnerability in cannelloni version 2.0.0, affecting CAN frame parsing in the parseCANFrame function within parser.cpp and the decodeFrame function within decoder.cpp. This issue, tied to CWE-121, enables remote attackers to trigger the vulnerability using crafted CAN FD frames. The flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Attackers can exploit this vulnerability remotely over a network with low complexity, requiring no privileges or user interaction. Successful exploitation may cause a denial of service through application crashes or potentially allow arbitrary code execution, compromising confidentiality, integrity, and availability to a high degree.

Mitigation guidance and further details are available in the referenced advisory at https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 and the cannelloni GitHub repository at https://github.com/mguentner/cannelloni. The CVE was published on 2026-05-01T17:16:23.803.

EU & UK References

Vulnerability details

Buffer overflow vulnerability in cannelloni v2.0.0 in CAN frame parsing in parser.cpp in function parseCANFrame, and decoder.cpp in function decodeFrame allowing remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted CAN FD frames.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote buffer overflow in network-facing cannelloni parser enables unauthenticated exploitation via crafted frames for RCE or DoS, directly mapping to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-38422Shared CWE-121
CVE-2025-11783Shared CWE-121
CVE-2025-54491Shared CWE-121
CVE-2024-39359Shared CWE-121
CVE-2026-42469Shared CWE-121
CVE-2020-37159Shared CWE-121
CVE-2024-39603Shared CWE-121
CVE-2024-36258Shared CWE-121
CVE-2024-51138Shared CWE-121
CVE-2025-69763Shared CWE-121

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of incoming CAN FD frames to prevent buffer overflows from crafted malicious inputs in parseCANFrame and decodeFrame functions.

prevent

Directly remediates the specific buffer overflow flaw in cannelloni v2.0.0 through timely identification, testing, and deployment of patches.

prevent

Implements memory protection mechanisms like stack canaries, ASLR, and DEP to block arbitrary code execution even if buffer overflow occurs.

References