CVE-2026-37530 Overview
CVE-2026-37530 is a stack buffer overflow in the Automotive Grade Linux (AGL) agl-service-can-low-level component through version 17.1.12. The flaw resides in the bundled uds-c library, specifically in the send_diagnostic_request function inside uds.c. The function allocates a 6-byte stack buffer defined by MAX_DIAGNOSTIC_PAYLOAD_SIZE but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH) using memcpy at an offset of 1+pid_length. The mismatch produces 1 to 4 bytes of attacker-controlled stack overflow. The payload_length field is a uint8_t with no bounds check against the destination buffer.
Critical Impact
On 32-bit ARM automotive Electronic Control Units (ECUs) compiled without stack canaries, the overflow can overwrite the saved return address and lead to remote code execution over the CAN diagnostic interface.
Affected Products
- AGL agl-service-can-low-level through 17.1.12
- Bundled uds-c library (uds.csend_diagnostic_request)
- Automotive Linux deployments on 32-bit ARM ECUs without stack protection
Discovery Timeline
- 2026-05-01 - CVE-2026-37530 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-37530
Vulnerability Analysis
The vulnerability is a classic stack-based buffer overflow [CWE-121] in the Unified Diagnostic Services (UDS) request handling path. The send_diagnostic_request function in uds.c constructs an outgoing CAN diagnostic frame on the stack. The destination buffer is sized using MAX_DIAGNOSTIC_PAYLOAD_SIZE set to 6 bytes. The function then writes a header byte plus a Parameter ID (PID) of 1 to 2 bytes, followed by a memcpy that copies up to MAX_UDS_REQUEST_PAYLOAD_LENGTH (7 bytes) of caller-supplied payload.
When the PID length and payload length combine, the total bytes written exceed the 6-byte destination by 1 to 4 bytes. The payload_length value is taken from a uint8_t controlled by the request originator and is never validated against the buffer capacity.
Root Cause
The defect stems from two inconsistent constants in the same translation unit. MAX_DIAGNOSTIC_PAYLOAD_SIZE (6) defines the buffer, while MAX_UDS_REQUEST_PAYLOAD_LENGTH (7) defines the maximum copy length. The code path trusts the caller-supplied payload_length without comparing it to the actual destination size after accounting for the header byte and PID bytes already written at offset 1+pid_length.
Attack Vector
An attacker with access to the CAN diagnostic interface, or to any service that forwards UDS requests into agl-service-can-low-level, can craft a request with a maximum-sized payload and a multi-byte PID. The resulting memcpy writes 1 to 4 bytes past the stack buffer. On 32-bit ARM ECUs built without -fstack-protector and without Address Space Layout Randomization (ASLR) on the relevant mappings, the overwritten bytes can corrupt the saved frame pointer or the return address. This enables hijacking of control flow when the function returns. The CVSS vector indicates a network-reachable, no-privilege, no-interaction path with high availability impact.
No public proof-of-concept exploit has been published. See the Automotive Linux Gerrit resource and the referenced GitHub Gist code snippet for the affected code paths.
Detection Methods for CVE-2026-37530
Indicators of Compromise
- UDS diagnostic requests where payload_length exceeds 3 bytes combined with multi-byte PID values targeting agl-service-can-low-level.
- Unexpected crashes, segmentation faults, or restarts of the agl-service-can-low-level binary recorded in journalctl or systemd unit logs.
- Anomalous CAN traffic on diagnostic CAN IDs originating from non-OEM tools or untrusted in-vehicle network segments.
Detection Strategies
- Inspect CAN bus telemetry for ISO 14229 UDS frames with payload lengths approaching or exceeding the 7-byte boundary at the application layer.
- Run the affected binary under AddressSanitizer (ASan) or with stack canaries enabled in test builds to surface the overflow during fuzzing.
- Review uds.c source for any local fork or vendor branch that retains the inconsistent MAX_DIAGNOSTIC_PAYLOAD_SIZE versus MAX_UDS_REQUEST_PAYLOAD_LENGTH constants.
Monitoring Recommendations
- Forward AGL service logs and CAN intrusion detection events into a centralized SIEM for correlation across fleet ECUs.
- Alert on repeated process restarts of agl-service-can-low-level within short time windows, which can indicate exploitation attempts.
- Track the integrity of the diagnostic interface and flag UDS sessions opened from unauthorized tester addresses.
How to Mitigate CVE-2026-37530
Immediate Actions Required
- Restrict access to the CAN diagnostic interface and gateway services that forward UDS requests to agl-service-can-low-level.
- Audit deployed AGL images for agl-service-can-low-level versions at or below 17.1.12 and prioritize them for update.
- Rebuild affected ECU firmware with -fstack-protector-strong and enable available memory protections on 32-bit ARM targets.
Patch Information
No fixed version is referenced in the published advisory at this time. Monitor the Automotive Linux Gerrit project page for upstream commits that correct the size constant mismatch and add a bounds check on payload_length before the memcpy in send_diagnostic_request.
Workarounds
- Apply a local patch that validates payload_length + 1 + pid_length <= MAX_DIAGNOSTIC_PAYLOAD_SIZE before invoking memcpy in uds.c.
- Increase MAX_DIAGNOSTIC_PAYLOAD_SIZE to match MAX_UDS_REQUEST_PAYLOAD_LENGTH plus the header and PID bytes, then rebuild the affected component.
- Enforce a CAN firewall policy on the gateway ECU that drops oversized UDS payloads before they reach the AGL service.
# Configuration example: rebuild AGL service with stack protection
export CFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2"
export LDFLAGS="-Wl,-z,relro -Wl,-z,now"
bitbake -c cleansstate agl-service-can-low-level
bitbake agl-service-can-low-level
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
