Cyber Resilience

CVE-2026-42469

High

Published: 01 May 2026

Published
01 May 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0036 27.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42469 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Openvehicles Open Vehicle Monitoring System Firmware. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-42469 is a buffer overflow vulnerability (CWE-121) in Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005. The flaw occurs in the canformat_canswitch.cpp component, where the parser does not properly validate the CANswitch DLC value, published on 2026-05-01.

The vulnerability has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). Remote attackers require no privileges or user interaction and can exploit it over the network by sending crafted CANswitch frames, potentially causing a denial of service or executing arbitrary code.

Mitigation details are available in the referenced advisory at https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381.

EU & UK References

Vulnerability details

Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_canswitch.cpp the parser does not properly validate a CANswitch DLC value, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted CANswitch…

more

frames.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated network exploitation of buffer overflow in OVMS3 parser for arbitrary code execution or DoS directly matches T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-37541Same product: Openvehicles Open Vehicle Monitoring System
CVE-2026-42468Same product: Openvehicles Open Vehicle Monitoring System
CVE-2026-38422Shared CWE-121
CVE-2025-11783Shared CWE-121
CVE-2025-54491Shared CWE-121
CVE-2024-39359Shared CWE-121
CVE-2020-37159Shared CWE-121
CVE-2024-39603Shared CWE-121
CVE-2024-36258Shared CWE-121
CVE-2024-51138Shared CWE-121

Affected Assets

openvehicles
open vehicle monitoring system firmware
3.3.005

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of CANswitch DLC values in the parser to directly prevent buffer overflows from crafted frames.

prevent

Requires timely remediation of the specific buffer overflow flaw in canformat_canswitch.cpp through patching or updates.

prevent

Implements memory protections like DEP and ASLR to mitigate exploitation of buffer overflows even if validation fails.

References