CVE-2026-37536:
A stack buffer overflow vulnerability exists in the `send_diagnostic_request` function of miaofng/uds-c (commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a), allowing an adjacent network attacker to overflow a 6-byte stack buffer by up to 4 bytes due to missing bounds checking on `payload_length` before a `memcpy` operation.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.8High- Published Date:May 1, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.0
- EPSS Percentile:3%
Exploitability
- Score:2.8
- Attack Vector:ADJACENT_NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
A stack buffer overflow vulnerability exists in the `send_diagnostic_request` function of miaofng/uds-c (commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a), allowing an adjacent network attacker to overflow a 6-byte stack buffer by up to 4 bytes due to missing bounds checking on `payload_length` before a `memcpy` operation.
Overview
CVE-2026-37536 is a stack-based buffer overflow (CWE-121) affecting the miaofng fork of the uds-c library at a specific historical commit. The vulnerable `send_diagnostic_request` function defines an internal stack buffer constrained to `MAX_DIAGNOSTIC_PAYLOAD_SIZE` (6 bytes) but permits a `memcpy` operation that can write up to 10 bytes into it when `payload_length` reaches its defined maximum of `MAX_UDS_REQUEST_PAYLOAD_LENGTH` (7 bytes). The write begins at a calculated offset within the buffer (`1 + pid_length`), meaning the overflow can exceed the buffer boundary by 4 bytes. Because no input validation or length check is performed on `payload_length` before the copy, an adjacent network attacker without any authentication or user interaction can trigger the overflow. The vulnerability carries a CVSS 3.1 score of 8.8 (HIGH), with potential impacts spanning full confidentiality loss, integrity compromise, and availability disruption on the affected system.
Remediation
- To remediate this vulnerability, developers should introduce an explicit bounds check on `payload_length` before the `memcpy` call in `send_diagnostic_request`, ensuring that the sum of the write offset (`1 + pid_length`) and `payload_length` does not exceed `MAX_DIAGNOSTIC_PAYLOAD_SIZE`. If valid payloads can legitimately exceed the current buffer size, the buffer should be enlarged to accommodate the maximum possible write (`MAX_UDS_REQUEST_PAYLOAD_LENGTH + 1 + max_pid_length`). Alternatively, the function should return an error or truncate safely when the computed write would overflow the buffer. Organizations using the miaofng/uds-c fork should review their dependency against the upstream openxc/uds-c repository for any equivalent fixes and apply patches accordingly. Until a fix is applied, restricting access to adjacent network interfaces that can send diagnostic requests serves as a compensating control.
References
- - [CVE-2026-37536 – NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-37536)
- - [Proof-of-Concept / Analysis Gist by sgInnora](https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381)
- - [miaofng/uds-c – Affected Repository](https://github.com/miaofng/uds-c)
- - [openxc/uds-c – Upstream Repository](https://github.com/openxc/uds-c)
- - [CWE-121: Stack-based Buffer Overflow](https://cwe.mitre.org/data/definitions/121.html)
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
