Cyber Posture

CVE-2026-37541

Critical

Published: 01 May 2026

Published
01 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0022 44.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length field in GVRET binary data is not properly validated, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted…

more

GVRET frames.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of length fields in incoming GVRET binary data to prevent buffer overflows from crafted frames.

SI-16 Memory Protection good match
prevent

Implements memory safeguards like stack canaries, ASLR, and DEP to block arbitrary code execution even if buffer overflow occurs.

SI-2 Flaw Remediation good match
prevent

Ensures timely identification, patching, and deployment of fixes for the specific buffer overflow flaw in OVMS3 canformat_gvret.cpp.

Security SummaryAI

CVE-2026-37541 is a buffer overflow vulnerability (CWE-121) affecting Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005. The issue resides in the file canformat_gvret.cpp, where the length field in GVRET binary data is not properly validated. This flaw earned a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with network accessibility, low complexity, no privileges or user interaction required, and scope change.

Remote attackers can exploit this vulnerability by sending crafted GVRET frames over the network. Unauthenticated adversaries require no special privileges and face low barriers to exploitation, potentially causing a denial of service through crashes or, in some cases, achieving arbitrary code execution with high confidentiality, integrity, and availability impacts due to the scope change.

Mitigation details are referenced in the following advisories: https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 and the project repository at https://github.com/openvehicles/Open-Vehicle-Monitoring-System-3. Security practitioners should consult these sources for patch availability or workarounds specific to OVMS3 deployments.

Details

CWE(s)
CWE-121

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Remote unauthenticated buffer overflow in public-facing OVMS3 application enables initial access via exploitation of the vulnerable network service, directly mapping to T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References