CVE-2026-42467 Overview
CVE-2026-42467 is a denial of service vulnerability in Open-SAE-J1939, an open-source implementation of the SAE J1939 protocol used in heavy-duty vehicle and industrial Controller Area Network (CAN) bus communications. The flaw exists in the SAE_J1939_Read_Binary_Data_Transfer_DM16 function and is triggered by a crafted CAN frame on the J1939 bus. The issue affects the codebase up to commit b6caf884df46435e539b1ecbf92b6c29b345bdfe dated 2025-11-30. The weakness is classified as [CWE-400] Uncontrolled Resource Consumption, which can render the targeted node unresponsive on the bus.
Critical Impact
An attacker with access to the J1939 bus can send a single crafted CAN frame to cause a denial of service against any node running the vulnerable Open-SAE-J1939 code, disrupting availability of vehicle or industrial control communications.
Affected Products
- Open-SAE-J1939 up to commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (2025-11-30)
- Embedded controllers and ECUs integrating the affected Open-SAE-J1939 stack
- Industrial and automotive systems using the vulnerable SAE_J1939_Read_Binary_Data_Transfer_DM16 handler
Discovery Timeline
- 2026-05-01 - CVE-2026-42467 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-42467
Vulnerability Analysis
The vulnerability resides in SAE_J1939_Read_Binary_Data_Transfer_DM16, a handler responsible for parsing DM16 binary data transfer messages within the J1939 diagnostic message family. DM16 messages carry binary payloads negotiated through the J1939 transport protocol. When the handler receives a crafted CAN frame, it fails to properly bound or validate the input, leading to resource exhaustion or an abnormal program state that halts processing.
The issue maps to [CWE-400] Uncontrolled Resource Consumption. The CVSS vector indicates a network-reachable, low-complexity attack requiring no privileges or user interaction, with availability as the only affected impact dimension. Confidentiality and integrity are not affected, consistent with a pure denial of service condition.
Root Cause
The root cause is missing or insufficient validation of fields in the inbound DM16 transfer frame inside SAE_J1939_Read_Binary_Data_Transfer_DM16. Maliciously chosen length, sequence, or control fields drive the function into a state that exhausts available resources or stalls the J1939 stack. Because J1939 nodes typically process bus traffic in a single-threaded loop, blocking this handler blocks the entire ECU communication path.
Attack Vector
Exploitation requires the ability to inject a CAN frame onto the J1939 bus. An attacker with logical or physical access to the bus, including through a compromised peer ECU, OBD-II diagnostic port, or a wireless gateway exposing CAN, can send the crafted DM16 frame. No authentication exists at the J1939 protocol layer, so any node on the bus can deliver the payload.
A proof-of-concept demonstrating the crafted CAN frame is referenced in the GitHub Gist exploit code. Refer to that gist for the precise frame structure rather than synthesizing test payloads.
Detection Methods for CVE-2026-42467
Indicators of Compromise
- Unexpected DM16 (PGN 55552 / 0xD900) frames originating from non-diagnostic nodes on the J1939 bus.
- ECU watchdog resets or loss of periodic J1939 heartbeat messages immediately after receipt of a DM16 transfer.
- Stalled responses to standard J1939 requests on a previously responsive node.
Detection Strategies
- Deploy a CAN bus intrusion detection sensor that baselines normal DM16 traffic patterns and alerts on anomalous senders or rates.
- Inspect J1939 transport protocol sessions for DM16 transfers that violate length, sequence, or session-state expectations.
- Correlate ECU availability telemetry with bus traffic captures to identify frames that precede node failures.
Monitoring Recommendations
- Forward CAN gateway and IDS logs into a centralized analytics platform such as Singularity Data Lake for retention and cross-fleet correlation.
- Monitor for repeated DM16 frames from a single source ID, which is uncommon in legitimate diagnostic workflows.
- Track ECU reboot counters and J1939 stack error counters as leading indicators of exploitation attempts.
How to Mitigate CVE-2026-42467
Immediate Actions Required
- Inventory all firmware images that integrate Open-SAE-J1939 at or before commit b6caf884df46435e539b1ecbf92b6c29b345bdfe and flag them for remediation.
- Restrict logical and physical access to the J1939 bus, including OBD-II ports and any wireless gateways that bridge to CAN.
- Add filtering at CAN gateways to drop DM16 frames originating from untrusted sources or external interfaces.
Patch Information
No official vendor patch is referenced in the published advisory at the time of writing. Maintainers and integrators should track the Open-SAE-J1939 repository for fixes after the affected commit b6caf884df46435e539b1ecbf92b6c29b345bdfe and apply input validation hardening to SAE_J1939_Read_Binary_Data_Transfer_DM16. Until an upstream fix lands, downstream consumers should apply local validation patches and rebuild affected firmware.
Workarounds
- Disable or stub the SAE_J1939_Read_Binary_Data_Transfer_DM16 handler in deployments that do not require DM16 binary data transfer.
- Add bounds checks on DM16 length and sequence fields before invoking the vulnerable handler.
- Enforce CAN gateway allowlists so only authorized diagnostic tools can issue DM16 transfers.
# Example CAN gateway filter concept (pseudocode)
# Drop DM16 (PGN 0xD900) frames from any source not on the diagnostic allowlist
if pgn == 0xD900 and source_addr not in DIAG_ALLOWLIST:
drop_frame()
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
