CVE-2026-37530

HIGH

7.5

Descricao

AGL agl-service-can-low-level thru 17.1.12 contains a stack buffer overflow in the uds-c library. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) via memcpy at an offset of 1+pid_length (2-3 bytes), resulting in 1-4 bytes of controlled stack overflow. The payload_length field (uint8_t) has no bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries, this can lead to return address overwrite and RCE.

Detalhes CVE

Pontuacao CVSS v3.17.5

SeveridadeHIGH

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado5/1/2026

Ultima modificacao5/1/2026

Fontenvd

Avistamentos honeypot0

Fraquezas (CWE)

CWE-121

Referencias

https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level(cve@mitre.org)

https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643(cve@mitre.org)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.