CVE-2026-37534:
An integer underflow vulnerability in Open-SAE-J1939 allows attackers to write to arbitrary memory via a crafted sequence number in a CAN frame.
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:May 1, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.0
- EPSS Percentile:3%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
An integer underflow vulnerability in Open-SAE-J1939 allows attackers to write to arbitrary memory via a crafted sequence number in a CAN frame.
Overview
CVE-2026-37534 affects the Open-SAE-J1939 open-source library, which implements the SAE J1939 communication protocol commonly used in embedded and industrial CAN bus environments. The vulnerability is an integer underflow in the `SAE_J1939_Read_Transport_Protocol_Data_Transfer` function, triggered when processing a specially crafted sequence number value from an incoming CAN frame. When the sequence number causes an underflow, the resulting erroneous value is used in memory addressing logic, enabling an attacker to write data to arbitrary memory locations. This class of vulnerability can be exploited to achieve code execution, corrupt safety-critical control data, or destabilize the affected system. Given the typical deployment of J1939 in vehicle networks, industrial control systems, and heavy machinery, exploitation could have significant real-world safety implications. The issue affects all versions of Open-SAE-J1939 up to and including the referenced commit.
Remediation
- At the time of publication, users should review the Open-SAE-J1939 GitHub repository for any patches or updated commits that address this vulnerability. As an immediate mitigation, developers should apply strict validation and bounds-checking on the sequence number field extracted from incoming CAN frames before using it in any arithmetic or memory indexing operations within `SAE_J1939_Read_Transport_Protocol_Data_Transfer`. Network-level mitigations include restricting access to CAN bus interfaces and implementing message filtering to prevent untrusted or malformed frames from reaching affected systems. Organizations deploying Open-SAE-J1939 in safety-critical environments should assess exposure and consider isolating affected components until an official fix is available.
References
- - [CVE-2026-37534 - NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-37534)
- - [Open-SAE-J1939 GitHub Repository](https://github.com/DanielMartensson/Open-SAE-J1939)
- - [Proof of Concept / Research Gist by sgInnora](https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381)
- - [CWE-191: Integer Underflow (Wrap or Wraparound)](https://cwe.mitre.org/data/definitions/191.html)
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
