CVE-2026-42485 Overview
CVE-2026-42485 is a stack buffer overflow in the uds-c library used by Automotive Grade Linux (AGL) agl-service-can-low-level. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer defined by MAX_DIAGNOSTIC_PAYLOAD_SIZE=6 but copies up to 7 bytes via memcpy at an offset of 1+pid_length. The payload_length field is a uint8_t and lacks bounds validation against the destination buffer. The result is 1 to 4 bytes of attacker-controlled stack overflow on automotive Electronic Control Units (ECUs). On 32-bit ARM platforms without stack canaries, the flaw can lead to return address overwrite and remote code execution.
Critical Impact
A network-reachable attacker can corrupt the stack of a CAN bus diagnostic service running on automotive ECUs, causing service disruption and, on hardened-deficient targets, code execution.
Affected Products
- AGL agl-service-can-low-level
- uds-c library (uds.csend_diagnostic_request function)
- Automotive Grade Linux deployments on 32-bit ARM ECUs
Discovery Timeline
- 2026-05-01 - CVE-2026-42485 published to the National Vulnerability Database (NVD)
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-42485
Vulnerability Analysis
The vulnerability is a classic stack-based buffer overflow tracked under [CWE-121]. The send_diagnostic_request function allocates a fixed 6-byte payload buffer on the stack. The function then writes up to 7 bytes of caller-supplied data into that buffer using memcpy, beginning at an offset of 1+pid_length. The pid_length value is typically 2 or 3 bytes, which pushes the write past the end of the 6-byte allocation.
The payload_length field is declared as a uint8_t and is never compared against MAX_DIAGNOSTIC_PAYLOAD_SIZE. Because the source size constant MAX_UDS_REQUEST_PAYLOAD_LENGTH=7 exceeds the destination size MAX_DIAGNOSTIC_PAYLOAD_SIZE=6, the function reliably overruns by 1 to 4 bytes depending on the offset.
Root Cause
The root cause is a missing bounds check between two related size constants. Developers used MAX_UDS_REQUEST_PAYLOAD_LENGTH to size the source while sizing the destination with the smaller MAX_DIAGNOSTIC_PAYLOAD_SIZE. Adding 1+pid_length to the destination offset compounds the mismatch and guarantees the overrun under normal call paths.
Attack Vector
The attack vector is network reachable through the CAN low-level service used by AGL infotainment and telematics stacks. An attacker who can submit Unified Diagnostic Services (UDS) requests to the service can trigger the overflow by crafting a diagnostic frame with a maximal payload_length and a multi-byte PID. On 32-bit ARM ECUs compiled without stack canaries (-fstack-protector-strong), the overflow can overwrite the saved return address and pivot control flow. The CVSS vector indicates the primary outcome is high availability impact, with confidentiality and integrity unaffected by default exploitation paths.
No public proof-of-concept exploitation code has been verified. See the Automotive Linux Gerrit Page and the GitHub Gist Code Snippet for source-level context.
Detection Methods for CVE-2026-42485
Indicators of Compromise
- Unexpected crashes or restarts of the agl-service-can-low-level process on AGL-based ECUs.
- CAN bus diagnostic frames where payload_length approaches or equals MAX_UDS_REQUEST_PAYLOAD_LENGTH (7) combined with multi-byte pid_length values.
- Core dumps or kernel logs showing memory corruption inside send_diagnostic_request in uds.c.
Detection Strategies
- Audit any binary linking uds-c for the unpatched send_diagnostic_request and verify constant alignment between MAX_DIAGNOSTIC_PAYLOAD_SIZE and MAX_UDS_REQUEST_PAYLOAD_LENGTH.
- Run fuzzing campaigns against the UDS request handler with payloads of increasing length and varying PID widths.
- Inspect ECU build flags to confirm whether -fstack-protector-strong and Position Independent Executable (PIE) hardening are enabled.
Monitoring Recommendations
- Forward ECU systemd and crash telemetry to a centralized log pipeline and alert on repeated crashes of CAN diagnostic services.
- Monitor in-vehicle network gateways for malformed UDS frames originating from non-trusted sources or external interfaces.
- Track process restart counters on safety-relevant ECUs to surface repeated exploitation attempts.
How to Mitigate CVE-2026-42485
Immediate Actions Required
- Restrict access to the agl-service-can-low-level UDS endpoint so only authenticated diagnostic tools can issue requests.
- Apply upstream fixes from the AGL uds-c repository once published, then rebuild and reflash affected ECUs.
- Rebuild affected services with -fstack-protector-strong, -D_FORTIFY_SOURCE=2, PIE, and read-only relocations to limit exploitability.
Patch Information
No formal vendor advisory or fixed version is referenced in the NVD record at the time of publication. Track the Automotive Linux Gerrit Page for source updates to uds.c that align MAX_DIAGNOSTIC_PAYLOAD_SIZE with MAX_UDS_REQUEST_PAYLOAD_LENGTH or that add an explicit bounds check on payload_length.
Workarounds
- Filter inbound UDS requests at the in-vehicle gateway and drop frames with payload_length greater than the destination buffer size.
- Disable or firewall the CAN low-level diagnostic service on production ECUs that do not require runtime UDS access.
- Enforce CAN segmentation so untrusted networks (telematics, infotainment) cannot reach diagnostic ECUs directly.
# Configuration example - block oversized UDS payloads at a Linux CAN gateway
# Drop classical CAN frames where the UDS Single Frame length nibble (>6 bytes) is set
cansend_filter --iface can0 \
--drop-if 'data[0] & 0x0F > 0x06' \
--log /var/log/uds-filter.log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
