CVE-2026-37537 Overview
CVE-2026-37537 is an integer underflow vulnerability [CWE-190] in the collin80/Open-SAE-J1939 library, an open-source implementation of the SAE J1939 protocol used in commercial vehicle Controller Area Network (CAN) communications. The flaw resides in the Transport Protocol Data Transfer (TP.DT) handling logic. An attacker on an adjacent CAN network can send a crafted frame with a sequence number of zero, triggering an underflow that produces an out-of-bounds write beyond the MAX_TP_DT buffer. The vulnerability affects code through commit 744024d4306bc387857dfce439558336806acb06 dated 2023-03-08.
Critical Impact
An adjacent attacker can corrupt memory beyond the transport protocol buffer, leading to integrity loss and denial of service on embedded controllers using the affected library.
Affected Products
- collin80/Open-SAE-J1939 through commit 744024d4306bc387857dfce439558336806acb06 (2023-03-08)
- Embedded systems and Electronic Control Units (ECUs) integrating the affected J1939 transport stack
- Forks and downstream projects derived from the vulnerable commit
Discovery Timeline
- 2026-05-01 - CVE-2026-37537 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-37537
Vulnerability Analysis
The SAE J1939 Transport Protocol enables multi-packet message transfer over CAN by splitting payloads into sequenced segments. Each Data Transfer (TP.DT) frame begins with a one-byte sequence number followed by up to seven data bytes. The receiver uses this sequence number to compute the destination offset within a reassembly buffer.
In the affected code, line 23 computes the destination index as uint8_t index = data[0] - 1. When the attacker-controlled data[0] value is zero, the unsigned subtraction wraps around, producing index = 255. The library then writes seven bytes to tp_dt->data[255*7 + i-1], reaching offset 1791 in a buffer sized at MAX_TP_DT (1785 bytes). The result is a six-byte out-of-bounds write into adjacent memory.
Root Cause
The root cause is a missing input validation check on the J1939 sequence number before arithmetic conversion. The protocol specification reserves sequence number zero, yet the library accepts it and performs unsigned arithmetic without bounds enforcement. Combined with the truncation behavior of uint8_t, this produces a deterministic underflow path from a single malformed CAN frame.
Attack Vector
Exploitation requires CAN bus access adjacent to the target ECU. The attacker injects a TP.DT frame with data[0] = 0x00 and seven controlled payload bytes. No authentication or user interaction is required because J1939 traffic is unauthenticated by design. The six bytes written past the buffer can corrupt adjacent global state, function pointers, or stack-resident structures depending on the embedded compiler layout, enabling integrity compromise and reliable denial of service.
Further implementation context is available in the GitHub Open SAE J1939 Repository and the GitHub Gist Code Snippet.
Detection Methods for CVE-2026-37537
Indicators of Compromise
- TP.DT (PGN 0xEB00) CAN frames containing a sequence number byte of 0x00, which is invalid per the J1939-21 specification.
- Unexpected ECU resets, watchdog reboots, or diagnostic trouble codes coinciding with multi-packet J1939 traffic.
- Anomalous writes to memory regions adjacent to the J1939 reassembly buffer detected during firmware runtime tracing.
Detection Strategies
- Deploy CAN bus intrusion detection systems that parse J1939 transport protocol fields and flag sequence number violations.
- Add assertion logic in firmware builds to log or halt when data[0] == 0 is observed in TP.DT handlers.
- Perform static analysis of forks of Open-SAE-J1939 to confirm whether the vulnerable arithmetic at line 23 of the TP.DT handler has been patched.
Monitoring Recommendations
- Capture and baseline J1939 traffic on production vehicle networks to establish normal sequence number distributions.
- Forward CAN gateway logs to a centralized analytics platform and alert on TP.DT frames with reserved or out-of-range sequence values.
- Monitor ECU telemetry for memory corruption symptoms such as fault codes, unexpected resets, and abnormal control loop behavior.
How to Mitigate CVE-2026-37537
Immediate Actions Required
- Audit all firmware images and projects that incorporate collin80/Open-SAE-J1939 and identify whether they ship code at or before commit 744024d4306bc387857dfce439558336806acb06.
- Apply input validation to reject TP.DT frames where the sequence number is zero or exceeds the negotiated packet count.
- Restrict physical and logical access to CAN buses where vulnerable ECUs operate, including diagnostic ports and telematics gateways.
Patch Information
No official upstream patch is referenced in the NVD entry for collin80/Open-SAE-J1939. Maintainers and integrators should add a guard that rejects sequence number zero and validates that the computed write offset stays within MAX_TP_DT. The actively maintained fork at the GitHub Open SAE J1939 Project should be reviewed as an alternative implementation source.
Workarounds
- Insert a bounds check before computing the index: validate that data[0] >= 1 and (data[0]-1)*7 + 7 <= MAX_TP_DT prior to writing.
- Replace the uint8_t index type with a wider integer and explicitly clamp values before arithmetic.
- Deploy a CAN firewall or gateway filter that drops malformed J1939 TP.DT frames before they reach vulnerable ECUs.
# Configuration example: filter malformed J1939 TP.DT frames using Linux SocketCAN
# Drop TP.DT frames (PGN 0xEB00) where the first data byte (sequence number) is 0x00
cansniffer -c can0 | grep -E 'EB[0-9A-F]{2} .* 00 '
# Example cangw rule to block frames matching the vulnerable pattern
cangw -A -s can0 -d can1 -e -f EB0000:FFFF00 -m SET:IL:00
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
