openxc/isotp-c Out-of-Bounds Read: DoS and Info Leak via Malicious CAN Frame

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitydenial-of-service
openxc/isotp-c Out-of-Bounds Read: DoS and Info Leak via Malicious CAN Frame

The National Vulnerability Database (NVD) has detailed CVE-2026-37535, a high-severity out-of-bounds read vulnerability in openxc/isotp-c affecting commits up to 5a5d19245f65189202719321facd49ce6f5d46ac (August 9, 2021). This flaw resides in the ISO-TP Single Frame receive handler, where the 4-bit payload length nibble is directly used as the memcpy size without proper validation against the actual CAN data length.

Attackers can exploit this by sending a crafted CAN frame with an oversized length nibble. This forces the system to read memory beyond the intended buffer, leading to two critical impacts: denial of service (DoS) due to memory corruption, or the potential leakage of sensitive information from adjacent memory regions. The NVD assigns a CVSS score of 7.1 (High), highlighting the significant risk posed by this vulnerability, particularly given its network access vector.

For defenders, this is a clear warning that even low-level automotive communication protocols are not immune to fundamental memory safety issues. While openxc/isotp-c is a specific open-source library, the underlying vulnerability type — improper input validation leading to out-of-bounds reads — is a perennial problem. Organizations leveraging this library, or any similar custom implementations of ISO-TP, must prioritize patching and rigorous input validation at the CAN frame processing layer. An attacker only needs network access to the CAN bus to trigger this, making it a critical concern for connected vehicle systems and industrial control environments.

What This Means For You

  • If your systems rely on `openxc/isotp-c` for ISO-TP communication, immediately assess your version against the `5a5d19245f65189202719321facd49ce6f5d46ac` commit. Patches are critical to prevent remote denial of service and potential information disclosure. Audit any custom ISO-TP implementations for similar out-of-bounds read vulnerabilities.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1204.002 Malicious File Execution T1499 Endpoint Denial of Service Impact

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-37535 - openxc/isotp-c Out-of-Bounds Read via Malicious CAN Frame

Sigma YAML — free preview 
title: CVE-2026-37535 - openxc/isotp-c Out-of-Bounds Read via Malicious CAN Frame
id: scw-2026-05-01-ai-1
status: experimental
level: critical
description: |
  This rule detects the exploitation of CVE-2026-37535 in openxc/isotp-c. The vulnerability allows an out-of-bounds read when processing a malicious CAN frame with an oversized length nibble. This detection specifically looks for the isotp-c driver being loaded and an IOCTL event targeting a CAN device, combined with a command line argument indicating a large memcpy size (e.g., 256, which is 0xFF in hex, a common indicator for oversized values in such protocols), suggesting an attempt to trigger the out-of-bounds read for DoS or information disclosure.
author: SCW Feed Engine (AI-generated)
date: 2026-05-01
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-37535/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: driver_load
detection:
  selection:
      Image: 'isotp-c.sys'
      TargetObject|startswith:
          - '/dev/can'
      Eventtype|contains:
          - 'IOCTL'
  selection_indicators:
      CommandLine|contains:
          - 'memcpy_size=256'
  condition: selection AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-37535 Information Disclosure openxc/isotp-c thru commit 5a5d19245f65189202719321facd49ce6f5d46ac (2021-08-09)
CVE-2026-37535 DoS openxc/isotp-c thru commit 5a5d19245f65189202719321facd49ce6f5d46ac (2021-08-09)
CVE-2026-37535 Memory Corruption Out-of-bounds read in ISO-TP Single Frame receive handler due to unvalidated 4-bit payload length nibble used as memcpy size

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 01, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7591 — TimBroddin Astro-Mcp-Server SQL Injection

CVE-2026-7591 — A security flaw has been discovered in TimBroddin astro-mcp-server up to 1.1.1. The impacted element is an unknown function of the file src/index.ts...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-7590: OS Command Injection in eyal-gor p_69_branch_monkey_mcp

CVE-2026-7590 — A vulnerability was identified in eyal-gor p_69_branch_monkey_mcp up to 69bc71874ce40050ef45fde5a435855f18af3373. The affected element is an unknown function of the file branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py of the...

vulnerabilityCVEhigh-severitycommand-injectioncwe-77cwe-78
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-7589 — Path Traversal

CVE-2026-7589 — A vulnerability was determined in ghantakiran splunk-mcp-integration up to 0b86b09d5e5adf0433acd43c975951224613a1a6. Impacted is the function create_csv_export of the file services/csv-export-service/app/api/v1/endpoints/csv_export.py of the component CSV...

vulnerabilityCVEmedium-severitypath-traversalcwe-22
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma