CVE-2026-37554
Published: 01 May 2026
Summary
CVE-2026-37554 is a high-severity Uncaught Exception (CWE-248) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires robust error handling to catch and manage OpenSSL exceptions from ECC point validation, preventing unhandled propagation and application crashes.
Validates incoming GeoNetworking packets for malformed secured content like invalid ECC points before they enter the vulnerable processing pipeline.
Ensures timely remediation of the specific flaw in exception handling within Vanetza V2X through identification, testing, and installation of software updates or patches.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote crafted packet exploitation causing unhandled exceptions and application crash, directly mapping to Application or System Exploitation under Endpoint Denial of Service.
NVD Description
An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on…
more
curve) are not properly caught by the Router::indicate() call chain. The openssl_wrapper.cpp check() function (line 19) throws openssl::Exception when OpenSSL operations fail. The parser's catch block in parse_secured() should catch these, but the exception escapes through subsequent processing stages (indicate_common, indicate_extended). This causes std::terminate, crashing the V2X receiver.
Deeper analysisAI
CVE-2026-37554 is a denial-of-service vulnerability in Vanetza V2X version v26.02, affecting the GeoNetworking packet processing pipeline. The issue arises when OpenSSL exceptions from ECC point validation—such as invalid compressed points or points not on the curve—are not properly caught during processing. Specifically, the openssl_wrapper.cpp check() function at line 19 throws an openssl::Exception on OpenSSL failures, but the parser's catch block in parse_secured() fails to handle it, allowing the exception to propagate through indicate_common() and indicate_extended() in Router::indicate(), ultimately triggering std::terminate() and crashing the V2X receiver. This is classified under CWE-248 (Uncaught Exception) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Remote unauthorized attackers can exploit this vulnerability over the network with low complexity and no privileges required. By sending specially crafted packets that trigger ECC point validation failures in OpenSSL, attackers cause unhandled exceptions to escape the processing chain, resulting in an application crash via std::terminate(). The impact is limited to high availability disruption, rendering the V2X receiver inoperable until restart.
References include a detailed gist from the discoverer at https://gist.github.com/sgInnora/45128ae15d52df7238680a8f2da8359f and the official Vanetza repository at https://github.com/riebl/vanetza, with the vulnerable code in https://github.com/riebl/vanetza/blob/master/vanetza/geonet/router.cpp and https://github.com/riebl/vanetza/blob/master/vanetza/security/openssl_wrapper.cpp. No specific patches or mitigation steps are detailed in the provided information, but practitioners should review the repository for updates and ensure exception handling covers OpenSSL operations in security parsing.
Details
- CWE(s)