CVE-2026-44905 Overview
CVE-2026-44905 is a denial-of-service vulnerability in Vanetza, an open-source implementation of the ETSI Cooperative Intelligent Transport Systems (C-ITS) protocol suite. The flaw affects version 26.02 and earlier. Attackers can send crafted V2X messages containing certificates with malformed Provider Service Identifier (Psid) fields. The Abstract Syntax Notation One (ASN.1) decoder accepts these structures as syntactically valid during initial parsing. However, when the StraightVerifyService later re-encodes the signing certificate to compute a message hash, the encoder throws an uncaught std::runtime_error. The unhandled exception propagates to std::terminate, causing immediate process termination. The vulnerability is tracked under CWE-248: Uncaught Exception.
Critical Impact
A single crafted V2X message can terminate the Vanetza process remotely without authentication or user interaction, disrupting cooperative vehicle-to-everything communications.
Affected Products
- Vanetza version 26.02 and earlier
- Systems running the Vanetza C-ITS protocol stack
- V2X deployments using Vanetza's cryptographic verification pipeline
Discovery Timeline
- 2026-05-26 - CVE-2026-44905 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-44905
Vulnerability Analysis
The vulnerability resides in Vanetza's cryptographic verification pipeline for incoming V2X messages. The ASN.1 decoder validates incoming certificate structures for syntactic correctness but does not enforce semantic subtype constraints during initial parsing. This validation gap creates a logic-based protocol failure exploitable through crafted input.
When StraightVerifyService processes a message, it must recompute the signing certificate's hash for signature verification. The re-encoding step invokes the ASN.1 wrapper at asn1c_wrapper.cpp, which enforces Octet Encoding Rules (OER) semantic constraints. A Psid field containing an out-of-range value or invalid CHOICE variant triggers a std::runtime_error during encoding. The exception escapes the verification path without being caught, reaching std::terminate and killing the process.
Root Cause
The root cause is asymmetric constraint enforcement between ASN.1 decoding and OER re-encoding paths combined with missing exception handling. The decoder accepts certificates that the encoder later rejects. No try/catch block wraps the hash calculation, allowing exceptions to terminate the process.
Attack Vector
An unauthenticated remote attacker sends a single crafted V2X message containing a certificate with a malformed Psid sub-type. The message passes initial ASN.1 parsing and reaches StraightVerifyService. The subsequent re-encoding step throws an uncaught exception, terminating the Vanetza process and disrupting cooperative communications.
return confirm;
}
- ByteBuffer msg_hash = v3::calculate_message_hash(m_backend, msg.hash_id(),
- msg.signing_payload(), v3::CertificateView { certificate });
- if (!m_backend.verify_digest(*public_key, msg_hash, *signature)) {
- confirm.report = VerificationReport::False_Signature;
+ try {
+ ByteBuffer msg_hash = v3::calculate_message_hash(m_backend, msg.hash_id(),
+ msg.signing_payload(), v3::CertificateView { certificate });
+ if (!m_backend.verify_digest(*public_key, msg_hash, *signature)) {
+ confirm.report = VerificationReport::False_Signature;
+ return confirm;
+ }
+ } catch (const std::exception&) {
+ // malformed input data, e.g. failing certificate encoding
+ confirm.report = VerificationReport::Incompatible_Protocol;
return confirm;
}
Source: GitHub Commit e1a2e27. The patch wraps the hash calculation and digest verification in a try/catch block. Malformed certificates now return VerificationReport::Incompatible_Protocol instead of crashing.
Detection Methods for CVE-2026-44905
Indicators of Compromise
- Unexpected termination of Vanetza processes without crash dump from memory corruption
- Process exits with std::terminate signature in system logs
- Repeated V2X message processing failures preceding service termination
- Inbound V2X messages containing certificates with anomalous Psid field values
Detection Strategies
- Monitor Vanetza process lifecycle events and abnormal termination patterns
- Inspect V2X traffic for certificates with Psid sub-types violating ETSI specification ranges
- Correlate process restarts with timestamps of incoming message bursts
- Deploy ASN.1-aware deep packet inspection on V2X interfaces where feasible
Monitoring Recommendations
- Enable verbose logging in StraightVerifyService to capture certificate parsing anomalies
- Track exception counters and process restart frequency on V2X gateways
- Alert on repeated Incompatible_Protocol verification reports after applying the patch
- Forward Vanetza application logs to a centralized analytics platform for correlation
How to Mitigate CVE-2026-44905
Immediate Actions Required
- Upgrade Vanetza to a build that includes commit e1a2e2709210d309458c3d77f98d50dec26c0df0
- Rebuild and redeploy all V2X services linking against the affected Vanetza library
- Restrict V2X message ingress to trusted peers where the network architecture permits
- Implement process supervision to automatically restart Vanetza on unexpected termination
Patch Information
The fix is available in commit e1a2e2709210d309458c3d77f98d50dec26c0df0 in the upstream Vanetza repository. The patch wraps v3::calculate_message_hash and signature verification in a try/catch block that returns VerificationReport::Incompatible_Protocol instead of propagating the exception. See the GitHub Security Advisory GHSA-q9fq-3rx9-7xcv for full advisory details.
Workarounds
- Deploy a watchdog or systemd service unit to restart Vanetza on termination
- Filter V2X traffic at the network boundary to block messages from untrusted sources
- Apply the upstream patch as an out-of-tree modification if upgrading is not immediately possible
# Example systemd unit to auto-restart Vanetza after crash
[Service]
ExecStart=/usr/local/bin/vanetza
Restart=always
RestartSec=2s
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
