CVE-2026-37539
Published: 01 May 2026
Summary
CVE-2026-37539 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-37539 is a buffer overflow vulnerability in cannelloni version 2.0.0, affecting CAN frame parsing in the parseCANFrame function within parser.cpp and the decodeFrame function within decoder.cpp. This issue, tied to CWE-121, enables remote attackers to trigger the vulnerability using crafted CAN FD frames. The flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
Attackers can exploit this vulnerability remotely over a network with low complexity, requiring no privileges or user interaction. Successful exploitation may cause a denial of service through application crashes or potentially allow arbitrary code execution, compromising confidentiality, integrity, and availability to a high degree.
Mitigation guidance and further details are available in the referenced advisory at https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 and the cannelloni GitHub repository at https://github.com/mguentner/cannelloni. The CVE was published on 2026-05-01T17:16:23.803.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26692
Vulnerability details
Buffer overflow vulnerability in cannelloni v2.0.0 in CAN frame parsing in parser.cpp in function parseCANFrame, and decoder.cpp in function decodeFrame allowing remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted CAN FD frames.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote buffer overflow in network-facing cannelloni parser enables unauthenticated exploitation via crafted frames for RCE or DoS, directly mapping to T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of incoming CAN FD frames to prevent buffer overflows from crafted malicious inputs in parseCANFrame and decodeFrame functions.
Directly remediates the specific buffer overflow flaw in cannelloni v2.0.0 through timely identification, testing, and deployment of patches.
Implements memory protection mechanisms like stack canaries, ASLR, and DEP to block arbitrary code execution even if buffer overflow occurs.