Armis Logo< Back

CVE-2026-37537:

An integer underflow vulnerability in collin80/Open-SAE-J1939 (through commit 744024d) allows adjacent network attackers to perform an out-of-bounds write via a crafted CAN frame with a sequence number of zero in the Transport Protocol Data Transfer handler.


Score
Info
A numerical rating that indicates how dangerous this vulnerability is.

8.1High
  • Published Date:May 1, 2026
  • CISA KEV Date:*No Data*
  • Industries Affected:20

Threat Predictions

  • EPSS Score:0.0
  • EPSS Percentile:3%

Exploitability

  • Score:2.8
  • Attack Vector:ADJACENT_NETWORK
  • Attack Complexity:LOW
  • Privileges Required:NONE
  • User Interaction:NONE
  • Scope:UNCHANGED

Impact

  • Score:5.2
  • Confidentiality Impact:NONE
  • Integrity Impact:HIGH
  • Availability Impact:HIGH

Description Preview

An integer underflow vulnerability in collin80/Open-SAE-J1939 (through commit 744024d) allows adjacent network attackers to perform an out-of-bounds write via a crafted CAN frame with a sequence number of zero in the Transport Protocol Data Transfer handler.

Overview

CVE-2026-37537 affects collin80/Open-SAE-J1939 through commit 744024d4306bc387857dfce439558336806acb06 (dated 2023-03-08). The vulnerability is an integer underflow (CWE-190) in the Transport Protocol Data Transfer handler. When a CAN frame carrying a sequence number of 0 is received, an unsigned 8-bit index variable underflows to 255 instead of being validated, resulting in a write that exceeds the 1785-byte `MAX_TP_DT` buffer by 6 bytes at offset 1791. This memory corruption is reachable from the adjacent CAN network without privileges or user interaction. The CVSS v3.1 base score is 8.1 (HIGH), reflecting high impacts to both integrity and availability with no confidentiality impact.

Remediation

  • There is no vendor-issued patch documented at the time of publication. Affected users should apply the following mitigations. First, add an explicit bounds check before computing the index — reject any CAN frame where `data[0]` equals 0 or exceeds the maximum expected sequence number for a TP.DT session. Second, change the index type or add a runtime assertion to prevent silent unsigned wraparound. Third, where possible, restrict physical or logical access to the CAN bus to trusted nodes only, reducing the attack surface described by the adjacent-network attack vector. Users should monitor the upstream repositories for patches and apply them as soon as they become available.

References

Industries Affected

Below is a list of industries most commonly impacted or potentially at risk based on intelligence.

Low
Mining icon
Mining
Utilities icon
Utilities
Information icon
Information
Construction icon
Construction
Retail Trade icon
Retail Trade
Manufacturing icon
Manufacturing
Wholesale Trade icon
Wholesale Trade
Educational Services icon
Educational Services
Finance and Insurance icon
Finance and Insurance
Public Administration icon
Public Administration
Real Estate Rental and Leasing icon
Real Estate Rental and Leasing
Transportation and Warehousing icon
Transportation and Warehousing
Accommodation and Food Services icon
Accommodation and Food Services
Health Care and Social Assistance icon
Health Care and Social Assistance
Arts, Entertainment, and Recreation icon
Arts, Entertainment, and Recreation
Management of Companies and Enterprises icon
Management of Companies and Enterprises
Agriculture, Forestry, Fishing and Hunting icon
Agriculture, Forestry, Fishing and Hunting
Other Services (except Public Administration) icon
Other Services (except Public Administration)
Professional, Scientific, and Technical Services icon
Professional, Scientific, and Technical Services
Administrative and Support and Waste Management and Remediation Services icon
Administrative and Support and Waste Management and Remediation Services

Focus on What Matters

See everything.Identify true risk.Proactively mitigate threats.Book a Demo

Let's talk!