CVE-2026-37541
Published: 01 May 2026
Summary
CVE-2026-37541 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Openvehicles Open Vehicle Monitoring System Firmware. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-37541 is a buffer overflow vulnerability (CWE-121) affecting Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005. The issue resides in the file canformat_gvret.cpp, where the length field in GVRET binary data is not properly validated. This flaw earned a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low complexity, no privileges or user interaction required, and scope change.
Remote attackers can exploit this vulnerability by sending crafted GVRET frames over the network. Unauthenticated adversaries require no special privileges and face low barriers to exploitation, potentially causing a denial of service through crashes or, in some cases, achieving arbitrary code execution with high confidentiality, integrity, and availability impacts due to the scope change.
Mitigation details are referenced in the following advisories: https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 and the project repository at https://github.com/openvehicles/Open-Vehicle-Monitoring-System-3. Security practitioners should consult these sources for patch availability or workarounds specific to OVMS3 deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26694
Vulnerability details
Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length field in GVRET binary data is not properly validated, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted…
more
GVRET frames.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated buffer overflow in public-facing OVMS3 application enables initial access via exploitation of the vulnerable network service, directly mapping to T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of length fields in incoming GVRET binary data to prevent buffer overflows from crafted frames.
Implements memory safeguards like stack canaries, ASLR, and DEP to block arbitrary code execution even if buffer overflow occurs.
Ensures timely identification, patching, and deployment of fixes for the specific buffer overflow flaw in OVMS3 canformat_gvret.cpp.