CVE-2026-37537: Integer Underflow in Open-SAE-J1939 Leads to Out-of-Bounds Write
The National Vulnerability Database has identified CVE-2026-37537, a critical vulnerability in the collin80/Open-SAE-J1939 library. This flaw stems from an integer underflow during Transport Protocol Data Transfer handling. Specifically, when the sequence number from a CAN frame is zero, the calculated index underflows to 255. This leads to an out-of-bounds write, allowing an attacker to write data beyond the intended buffer limits by up to 6 bytes. The National Vulnerability Database assigns this a CVSS score of 8.1 (HIGH).
This vulnerability poses a significant risk to systems utilizing the affected versions of Open-SAE-J1939, particularly in automotive and industrial control environments where the J1939 protocol is common. An attacker with network access could exploit this flaw to overwrite critical memory regions, potentially leading to denial-of-service conditions or even remote code execution. Given the protocol’s use in safety-critical systems, the impact of a successful exploit could be severe.
Defenders should prioritize identifying and patching or updating all instances of collin80/Open-SAE-J1939 to a commit after March 8, 2023, specifically post-744024d4306bc387857dfce439558336806acb06. Network segmentation and strict access controls for systems communicating via J1939 can also mitigate the attack surface. Continuous monitoring for anomalous J1939 traffic patterns is advised.
What This Means For You
- If your organization uses the Open-SAE-J1939 protocol, immediately audit your systems for collin80/Open-SAE-J1939 versions prior to commit 744024d4306bc387857dfce439558336806acb06 and apply necessary updates. This is critical for preventing potential memory corruption and system compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-37537: Open-SAE-J1939 Integer Underflow Out-of-Bounds Write
title: CVE-2026-37537: Open-SAE-J1939 Integer Underflow Out-of-Bounds Write
id: scw-2026-05-01-ai-1
status: experimental
level: critical
description: |
Detects the loading of the vulnerable Open-SAE-J1939 driver, which is the primary target for exploitation of CVE-2026-37537. This driver contains an integer underflow vulnerability in its Transport Protocol Data Transfer handling that can lead to an out-of-bounds write.
author: SCW Feed Engine (AI-generated)
date: 2026-05-01
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-37537/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: driver_load
detection:
selection:
Image:
- 'OpenSAEJ1939.sys'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-37537 | Buffer Overflow | collin80/Open-SAE-J1939 thru commit 744024d4306bc387857dfce439558336806acb06 |
| CVE-2026-37537 | Memory Corruption | Integer underflow in Transport Protocol Data Transfer handling at line 23: uint8_t index = data[0] - 1 |
| CVE-2026-37537 | Out-of-bounds Write | Write at tp_dt->data[255*7 + i-1] exceeding MAX_TP_DT buffer (1785 bytes) |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 01, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7588 — Ggerve Coding-Standards-Mcp Path Traversal
CVE-2026-7588 — A vulnerability was found in ggerve coding-standards-mcp. This issue affects the function get_style_guide/get_best_practices of the file server.py. The manipulation of the argument Language...
CVE-2026-35233 — Denial of Service
CVE-2026-35233 — An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to...
CVE-2026-7587 — Open5GS Denial of Service
CVE-2026-7587 — A vulnerability has been found in Open5GS up to 2.7.7. This vulnerability affects the function amf_nsmf_pdusession_handle_update_sm_context of the file /src/amf/nsmf-handler.c of the component...