CVE-2026-37532

HIGH EPSS 14.0%

Published May 1, 20261mo ago · Modified Jun 17, 20261w ago

7.1 CVSS 3.1

High

Published May 1, 2026 1mo ago

Last Modified Jun 17, 2026 1w ago

Description

AGL agl-service-can-low-level thru 17.1.12 contains a heap buffer over-read in the isotp-c library. In isotp_continue_receive (receive.c:87-89), the payload_length for a Single Frame is extracted from a 4-bit nibble in the CAN frame data, yielding values 0-15. However, a standard CAN frame is only 8 bytes, with payload starting at data[1] (7 bytes available). When payload_length exceeds the available data (e.g., nibble=15 but only 7 payload bytes exist), memcpy(message.payload, &data[1], payload_length) reads up to 8 bytes past the end of the data buffer.

CVSS Details

Base Score

7.1

Exploitability

2.8

Impact

4.2

Vector string

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Attack Vector Adjacent

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity None

Availability High

Threat Intelligence

EPSS Exploit Probability

14.0% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-126

Affected Products 1

Vendor	Product	Version	Range
linuxfoundation	automotive_grade_linux	*	≤17.1.12

References 2

gerrit.automotivelinux.org https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level

Broken Link
gist.github.com https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643

Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.