CVE-2026-37532: Heap Over-Read in AGL agl-service-can-low-level
The National Vulnerability Database has disclosed CVE-2026-37532, a high-severity heap buffer over-read vulnerability in AGL agl-service-can-low-level versions up to 17.1.12. This flaw resides within the isotp-c library, specifically in the isotp_continue_receive function. The issue arises when a single CAN frame’s payload_length is extracted from a 4-bit nibble, allowing values up to 15. However, a standard CAN frame has only 7 bytes available for payload after the initial data byte.
According to the National Vulnerability Database, when the extracted payload_length exceeds these 7 available bytes, a memcpy operation attempts to read beyond the allocated buffer. This can lead to a read of up to 8 bytes past the end of the data buffer, potentially exposing sensitive memory contents or leading to application instability. The vulnerability is rated with a CVSS score of 7.1 (High), indicating significant risk for affected systems.
Attackers exploiting this vulnerability would require network access to the affected CAN bus, but no prior authentication or user interaction is necessary. While the National Vulnerability Database did not specify affected products beyond the AGL component itself, any system integrating agl-service-can-low-level is potentially at risk. This includes various embedded and automotive Linux environments where CAN bus communication is critical.
What This Means For You
- If your organization develops or deploys systems using AGL agl-service-can-low-level, specifically those with CAN bus integration, you need to assess your exposure to CVE-2026-37532 immediately. This heap over-read can lead to denial-of-service or information disclosure, which is critical in automotive or embedded contexts. Prioritize patching or implementing mitigations for versions up to 17.1.12.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-37532: Heap Over-Read in AGL agl-service-can-low-level isotp_continue_receive
title: CVE-2026-37532: Heap Over-Read in AGL agl-service-can-low-level isotp_continue_receive
id: scw-2026-05-01-ai-1
status: experimental
level: high
description: |
This rule detects the execution of the agl-service-can-low-level process specifically when the isotp_continue_receive function is invoked, which is the vulnerable component in CVE-2026-37532. This indicates a potential exploitation attempt targeting the heap buffer over-read vulnerability in the isotp-c library.
author: SCW Feed Engine (AI-generated)
date: 2026-05-01
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-37532/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
detection:
selection:
Image|contains:
- 'agl-service-can-low-level'
CommandLine|contains:
- 'isotp_continue_receive'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-37532 | Buffer Overflow | AGL agl-service-can-low-level thru 17.1.12 |
| CVE-2026-37532 | Memory Corruption | Heap buffer over-read in isotp-c library |
| CVE-2026-37532 | Information Disclosure | memcpy(message.payload, &data[1], payload_length) reads past end of data buffer in isotp_continue_receive (receive.c:87-89) |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 01, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7588 — Ggerve Coding-Standards-Mcp Path Traversal
CVE-2026-7588 — A vulnerability was found in ggerve coding-standards-mcp. This issue affects the function get_style_guide/get_best_practices of the file server.py. The manipulation of the argument Language...
CVE-2026-35233 — Denial of Service
CVE-2026-35233 — An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to...
CVE-2026-7587 — Open5GS Denial of Service
CVE-2026-7587 — A vulnerability has been found in Open5GS up to 2.7.7. This vulnerability affects the function amf_nsmf_pdusession_handle_update_sm_context of the file /src/amf/nsmf-handler.c of the component...