CVE-2026-37532

Published: May 1, 2026

Modified: May 1, 2026

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

AGL agl-service-can-low-level thru 17.1.12 contains a heap buffer over-read in the isotp-c library. In isotp_continue_receive (receive.c:87-89), the payload_length for a Single Frame is extracted from a 4-bit nibble in the CAN frame data, yielding values 0-15. However, a standard CAN frame is only 8 bytes, with payload starting at data[1] (7 bytes available). When payload_length exceeds the available data (e.g., nibble=15 but only 7 payload bytes exist), memcpy(message.payload, &data[1], payload_length) reads up to 8 bytes past the end of the data buffer.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AC:L/AV:A/A:H/C:L/I:N/PR:N/S:U/UI:N

Attack Complexity

Low

Attack Vector

Adjacent

Availability

High

Confidentiality

Low

Integrity

None

Privileges Required

None

Scope

Unchanged

User Interaction

None

References

https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level

https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-37532

Description

Affected Products

CVSS v3.1 Details

References