CVE-2026-37539 Overview
CVE-2026-37539 is a stack-based buffer overflow [CWE-121] in cannelloni v2.0.0, an open-source tool that tunnels Controller Area Network (CAN) frames over UDP. The flaw resides in the CAN frame parsing routines parseCANFrame in parser.cpp and decodeFrame in decoder.cpp. Remote attackers can trigger the overflow by sending crafted CAN FD frames to a listening cannelloni instance. Successful exploitation causes a denial of service through process crash and may permit arbitrary code execution on the host running the tunnel.
Critical Impact
Network-reachable cannelloni v2.0.0 endpoints can be crashed or potentially compromised by unauthenticated attackers using crafted CAN FD frames, putting CAN-over-UDP gateways and connected vehicle or industrial control segments at risk.
Affected Products
- cannelloni v2.0.0 (parser.cpp — parseCANFrame)
- cannelloni v2.0.0 (decoder.cpp — decodeFrame)
- Systems exposing cannelloni UDP listeners to untrusted networks
Discovery Timeline
- 2026-05-01 - CVE-2026-37539 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-37539
Vulnerability Analysis
Cannelloni encapsulates CAN and CAN FD frames inside UDP datagrams to bridge CAN buses across IP networks. When a UDP datagram arrives, cannelloni parses each embedded frame and copies its data payload into fixed-size structures used by the Linux SocketCAN API. The parser does not adequately validate the declared payload length of CAN FD frames against the destination buffer size before copying data. An attacker who can reach the listening UDP port can send a crafted frame whose declared length exceeds the maximum CAN FD payload of 64 bytes, causing the copy operation to write past the end of the stack-allocated frame structure.
The overflow corrupts adjacent stack data, including saved frame pointers and return addresses. At minimum, this produces a deterministic crash and denial of service for any downstream consumer of the CAN tunnel. With careful control of the overflow contents, an attacker may redirect execution flow and run arbitrary code in the context of the cannelloni process.
Root Cause
The root cause is missing bounds enforcement in parseCANFrame and decodeFrame. Both functions trust the length field embedded in the inbound packet rather than clamping it to the architectural maximum for classic CAN (8 bytes) or CAN FD (64 bytes). The result is a classic stack-based buffer overflow tracked under [CWE-121].
Attack Vector
Exploitation is fully remote and requires no authentication or user interaction. An attacker sends a single crafted UDP datagram containing a CAN FD frame header that advertises an oversized data length, followed by attacker-controlled payload bytes. The vulnerability is reachable wherever cannelloni is exposed beyond a trusted segment, including misconfigured vehicle gateways, industrial test benches, and remote diagnostic links. Public proof-of-concept material is referenced in the GitHub Gist PoC and the upstream GitHub Project Repository.
Detection Methods for CVE-2026-37539
Indicators of Compromise
- Unexpected termination, segmentation faults, or core dumps from the cannelloni process on gateway hosts.
- Inbound UDP datagrams to the cannelloni listener (default UDP/20000) whose embedded CAN FD length field exceeds 64 bytes.
- Source IP addresses sending malformed CAN-over-UDP traffic from outside trusted CAN tunneling peers.
Detection Strategies
- Deploy network IDS signatures that inspect cannelloni UDP payloads and flag CAN FD frames whose declared length exceeds 64 bytes or where payload size is inconsistent with the header.
- Correlate cannelloni process crashes with concurrent inbound UDP traffic to identify exploitation attempts.
- Monitor systemd or supervisor restart events for the cannelloni service, which often indicate repeated crash conditions.
Monitoring Recommendations
- Forward host logs and process exit telemetry from cannelloni gateways to a central SIEM for correlation.
- Capture and retain NetFlow or full-packet traces for UDP traffic destined to cannelloni listeners on operational technology networks.
- Alert on any cannelloni endpoint communicating with peers outside an explicit allowlist of tunneling partners.
How to Mitigate CVE-2026-37539
Immediate Actions Required
- Inventory all cannelloni v2.0.0 deployments, including embedded gateways, test benches, and developer workstations.
- Restrict the cannelloni UDP port to trusted peers using host firewalls, VPN tunnels, or network segmentation.
- Stop or disable any cannelloni instance that is exposed to untrusted networks until a fixed build is available.
Patch Information
No fixed release was referenced in the NVD entry at publication. Track the upstream GitHub Project Repository for commits that add bounds checks to parseCANFrame and decodeFrame, and rebuild from source once the maintainer releases a patched commit or tagged version.
Workarounds
- Bind cannelloni to loopback or a dedicated management interface rather than a routable address.
- Tunnel cannelloni traffic exclusively over an authenticated VPN such as WireGuard or IPsec to remove unauthenticated network exposure.
- Apply strict ingress filtering to drop UDP datagrams from any source not on the CAN tunneling allowlist.
- Run cannelloni under a dedicated, unprivileged service account with seccomp or AppArmor confinement to limit post-exploitation impact.
# Configuration example: restrict cannelloni to trusted peer over WireGuard
# /etc/nftables.d/cannelloni.nft
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "wg0" udp dport 20000 ip saddr 10.10.0.2 accept
udp dport 20000 drop
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
