Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1 vulnerability by driftregion
CVE-2026-54413 (GCVE-0-2026-54413)
Vulnerability from cvelistv5 – Published: 2026-06-14 17:38 – Updated: 2026-06-14 17:38
VLAI
Summary
driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the Handle_0x27_SecurityAccess() function in iso14229.c that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte 0x27 SecurityAccess request that follows any earlier well-formed 0x27 message. The handler reads the SecurityAccess subFunction from recv_buf[1] without first checking that recv_len is at least 2, then computes the key-data length as the unsigned subtraction (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN); when recv_len equals 1 the result underflows to 65535 and is passed as args.len to the application's SecAccessValidateKey or SecAccessRequestSeed callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (0x10, 0x11, 0x14, 0x19, 0x22, 0x23, 0x28, and others) performs an explicit recv_len lower-bound check before indexing; Handle_0x27_SecurityAccess is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected.
Severity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/driftregion/iso14229 | product |
| https://github.com/driftregion/iso14229/blob/main… | product |
| https://cwe.mitre.org/data/definitions/191.html | technical-description |
| https://cwe.mitre.org/data/definitions/125.html | technical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| driftregion | iso14229 |
Affected:
0 , ≤ 0.9.0
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://github.com/driftregion/iso14229",
"defaultStatus": "unknown",
"product": "iso14229",
"programFiles": [
"iso14229.c"
],
"programRoutines": [
{
"name": "Handle_0x27_SecurityAccess"
}
],
"repo": "https://github.com/driftregion/iso14229",
"vendor": "driftregion",
"versions": [
{
"lessThanOrEqual": "0.9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Burxonov Muslimbek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003edriftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the \u003ccode\u003eHandle_0x27_SecurityAccess()\u003c/code\u003e function in \u003ccode\u003eiso14229.c\u003c/code\u003e that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte \u003ccode\u003e0x27\u003c/code\u003e SecurityAccess request that follows any earlier well-formed \u003ccode\u003e0x27\u003c/code\u003e message. The handler reads the SecurityAccess subFunction from \u003ccode\u003erecv_buf[1]\u003c/code\u003e without first checking that \u003ccode\u003erecv_len\u003c/code\u003e is at least 2, then computes the key-data length as the unsigned subtraction \u003ccode\u003e(uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN)\u003c/code\u003e; when \u003ccode\u003erecv_len\u003c/code\u003e equals 1 the result underflows to 65535 and is passed as \u003ccode\u003eargs.len\u003c/code\u003e to the application\u0027s \u003ccode\u003eSecAccessValidateKey\u003c/code\u003e or \u003ccode\u003eSecAccessRequestSeed\u003c/code\u003e callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (\u003ccode\u003e0x10\u003c/code\u003e, \u003ccode\u003e0x11\u003c/code\u003e, \u003ccode\u003e0x14\u003c/code\u003e, \u003ccode\u003e0x19\u003c/code\u003e, \u003ccode\u003e0x22\u003c/code\u003e, \u003ccode\u003e0x23\u003c/code\u003e, \u003ccode\u003e0x28\u003c/code\u003e, and others) performs an explicit \u003ccode\u003erecv_len\u003c/code\u003e lower-bound check before indexing; \u003ccode\u003eHandle_0x27_SecurityAccess\u003c/code\u003e is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected.\u003c/p\u003e"
}
],
"value": "driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the Handle_0x27_SecurityAccess() function in iso14229.c that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte 0x27 SecurityAccess request that follows any earlier well-formed 0x27 message. The handler reads the SecurityAccess subFunction from recv_buf[1] without first checking that recv_len is at least 2, then computes the key-data length as the unsigned subtraction (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN); when recv_len equals 1 the result underflows to 65535 and is passed as args.len to the application\u0027s SecAccessValidateKey or SecAccessRequestSeed callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (0x10, 0x11, 0x14, 0x19, 0x22, 0x23, 0x28, and others) performs an explicit recv_len lower-bound check before indexing; Handle_0x27_SecurityAccess is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A remote unauthenticated attacker who can send a single SecurityAccess (SID 0x27) UDS request to a server built on iso14229 - over CAN bus, OBD-II, ISO-TP, or DoIP - crashes the diagnostic server process and may incidentally read up to roughly 64 KB of memory past the receive buffer through the callback the underflowed length is handed to. In automotive and industrial deployments this denies UDS diagnostics for the affected ECU or controller and, on bare-metal targets without memory protection, the resulting hard fault can take the whole control loop down for the duration of the watchdog reset cycle. No prior authentication, no SecurityAccess unlock, and no user interaction are required - the SecurityAccess handler is reachable in the default session."
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"exploitMaturity": "PROOF_OF_CONCEPT",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/V:D",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "A remote attacker on the same diagnostic transport (CAN/OBD-II/ISO-TP/DoIP) sends one well-formed SecurityAccess request followed by a single-byte 0x27 frame; the second frame triggers the integer underflow in Handle_0x27_SecurityAccess and the application\u0027s SecAccessValidateKey or SecAccessRequestSeed callback then reads up to 65535 bytes past the 4-KB receive buffer, crashing the UDS server process or the bare-metal ECU."
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191 Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:38:16.326Z",
"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"shortName": "TuranSec"
},
"references": [
{
"name": "driftregion/iso14229 - upstream repository",
"tags": [
"product"
],
"url": "https://github.com/driftregion/iso14229"
},
{
"name": "Vulnerable Handle_0x27_SecurityAccess() in iso14229.c",
"tags": [
"product"
],
"url": "https://github.com/driftregion/iso14229/blob/main/iso14229.c#L1447"
},
{
"name": "CWE-191: Integer Underflow (Wrap or Wraparound)",
"tags": [
"technical-description"
],
"url": "https://cwe.mitre.org/data/definitions/191.html"
},
{
"name": "CWE-125: Out-of-bounds Read",
"tags": [
"technical-description"
],
"url": "https://cwe.mitre.org/data/definitions/125.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_assigner_notes": "The missing recv_len lower-bound check was verified by direct source inspection of iso14229.c at the v0.9.0 release tag area and at main HEAD: Handle_0x27_SecurityAccess() begins at line 1447 with \u0027uint8_t subFunction = r-\u003erecv_buf[1];\u0027 and reaches the underflowing \u0027len = (uint16_t)(r-\u003erecv_len - UDS_0X27_REQ_BASE_LEN)\u0027 at lines 1473 and 1511 without any guard on recv_len. Every other sub-function handler in the same file (Handle_0x10 at L911, Handle_0x11 at L960, Handle_0x14 at L996, Handle_0x19 at L1038 with per-sub-function checks, Handle_0x23 at L1418, Handle_0x28 at L1534, and others) performs an explicit \u0027if (r-\u003erecv_len \u003c UDS_0X\u003cXX\u003e_REQ_*_LEN) return NegativeResponse(...)\u0027 check before indexing recv_buf - 0x27 is the sole missing one. The recommended fix is the one-liner: \u0027if (r-\u003erecv_len \u003c UDS_0X27_REQ_BASE_LEN) return NegativeResponse(r, UDS_NRC_IncorrectMessageLengthOrInvalidFormat);\u0027 at the top of the handler, matching the project\u0027s existing pattern. The vulnerability was disclosed to the upstream maintainer through a private GitHub security advisory on 2026-05-26. CVSS scoring matches the precedent set by CVE-2026-54412 (MQTT-C OOB read / integer underflow): VC:L for the bounded heap-byte disclosure, VA:H for the crash on resource-constrained embedded targets, AV:N because the same library is deployed behind DoIP-over-Ethernet diagnostic gateways. Downstream consumers using iso14229 strictly over physical CAN-only deployments may locally lower attackVector to ADJACENT when scoring their own environment.",
"x_author": "Burxonov Muslimbek",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"assignerShortName": "TuranSec",
"cveId": "CVE-2026-54413",
"datePublished": "2026-06-14T17:38:16.326Z",
"dateReserved": "2026-06-13T16:39:46.122Z",
"dateUpdated": "2026-06-14T17:38:16.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}