Cyber Posture

CVE-2026-37539

Critical

Published: 01 May 2026

Published
01 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0033 55.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Buffer overflow vulnerability in cannelloni v2.0.0 in CAN frame parsing in parser.cpp in function parseCANFrame, and decoder.cpp in function decodeFrame allowing remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted CAN FD frames.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of incoming CAN FD frames to prevent buffer overflows from crafted malicious inputs in parseCANFrame and decodeFrame functions.

SI-2 Flaw Remediation good match
prevent

Directly remediates the specific buffer overflow flaw in cannelloni v2.0.0 through timely identification, testing, and deployment of patches.

SI-16 Memory Protection good match
prevent

Implements memory protection mechanisms like stack canaries, ASLR, and DEP to block arbitrary code execution even if buffer overflow occurs.

Security SummaryAI

CVE-2026-37539 is a buffer overflow vulnerability in cannelloni version 2.0.0, affecting CAN frame parsing in the parseCANFrame function within parser.cpp and the decodeFrame function within decoder.cpp. This issue, tied to CWE-121, enables remote attackers to trigger the vulnerability using crafted CAN FD frames. The flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Attackers can exploit this vulnerability remotely over a network with low complexity, requiring no privileges or user interaction. Successful exploitation may cause a denial of service through application crashes or potentially allow arbitrary code execution, compromising confidentiality, integrity, and availability to a high degree.

Mitigation guidance and further details are available in the referenced advisory at https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 and the cannelloni GitHub repository at https://github.com/mguentner/cannelloni. The CVE was published on 2026-05-01T17:16:23.803.

Details

CWE(s)
CWE-121

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Remote buffer overflow in network-facing cannelloni parser enables unauthenticated exploitation via crafted frames for RCE or DoS, directly mapping to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References