Cyber Resilience

CVE-2026-37541

Critical

Published: 01 May 2026

Published
01 May 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0068 47.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-37541 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Openvehicles Open Vehicle Monitoring System Firmware. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-37541 is a buffer overflow vulnerability (CWE-121) affecting Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005. The issue resides in the file canformat_gvret.cpp, where the length field in GVRET binary data is not properly validated. This flaw earned a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low complexity, no privileges or user interaction required, and scope change.

Remote attackers can exploit this vulnerability by sending crafted GVRET frames over the network. Unauthenticated adversaries require no special privileges and face low barriers to exploitation, potentially causing a denial of service through crashes or, in some cases, achieving arbitrary code execution with high confidentiality, integrity, and availability impacts due to the scope change.

Mitigation details are referenced in the following advisories: https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 and the project repository at https://github.com/openvehicles/Open-Vehicle-Monitoring-System-3. Security practitioners should consult these sources for patch availability or workarounds specific to OVMS3 deployments.

EU & UK References

Vulnerability details

Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length field in GVRET binary data is not properly validated, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted…

more

GVRET frames.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated buffer overflow in public-facing OVMS3 application enables initial access via exploitation of the vulnerable network service, directly mapping to T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42469Same product: Openvehicles Open Vehicle Monitoring System
CVE-2026-42468Same product: Openvehicles Open Vehicle Monitoring System
CVE-2026-38422Shared CWE-121
CVE-2025-11783Shared CWE-121
CVE-2025-54491Shared CWE-121
CVE-2024-39359Shared CWE-121
CVE-2020-37159Shared CWE-121
CVE-2024-39603Shared CWE-121
CVE-2024-36258Shared CWE-121
CVE-2024-51138Shared CWE-121

Affected Assets

openvehicles
open vehicle monitoring system firmware
3.3.005

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of length fields in incoming GVRET binary data to prevent buffer overflows from crafted frames.

prevent

Implements memory safeguards like stack canaries, ASLR, and DEP to block arbitrary code execution even if buffer overflow occurs.

prevent

Ensures timely identification, patching, and deployment of fixes for the specific buffer overflow flaw in OVMS3 canformat_gvret.cpp.

References