{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-54413", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "state": "PUBLISHED", "assignerShortName": "TuranSec", "dateReserved": "2026-06-13T16:39:46.122Z", "datePublished": "2026-06-14T17:38:16.326Z", "dateUpdated": "2026-06-14T17:38:16.326Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-06-14T17:38:16.326Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-191", "description": "CWE-191 Integer Underflow (Wrap or Wraparound)", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "A remote unauthenticated attacker who can send a single SecurityAccess (SID 0x27) UDS request to a server built on iso14229 - over CAN bus, OBD-II, ISO-TP, or DoIP - crashes the diagnostic server process and may incidentally read up to roughly 64 KB of memory past the receive buffer through the callback the underflowed length is handed to. In automotive and industrial deployments this denies UDS diagnostics for the affected ECU or controller and, on bare-metal targets without memory protection, the resulting hard fault can take the whole control loop down for the duration of the watchdog reset cycle. No prior authentication, no SecurityAccess unlock, and no user interaction are required - the SecurityAccess handler is reachable in the default session."}]}], "affected": [{"vendor": "driftregion", "product": "iso14229", "collectionURL": "https://github.com/driftregion/iso14229", "repo": "https://github.com/driftregion/iso14229", "programFiles": ["iso14229.c"], "programRoutines": [{"name": "Handle_0x27_SecurityAccess"}], "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "0.9.0", "versionType": "semver"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the Handle_0x27_SecurityAccess() function in iso14229.c that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte 0x27 SecurityAccess request that follows any earlier well-formed 0x27 message. The handler reads the SecurityAccess subFunction from recv_buf[1] without first checking that recv_len is at least 2, then computes the key-data length as the unsigned subtraction (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN); when recv_len equals 1 the result underflows to 65535 and is passed as args.len to the application's SecAccessValidateKey or SecAccessRequestSeed callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (0x10, 0x11, 0x14, 0x19, 0x22, 0x23, 0x28, and others) performs an explicit recv_len lower-bound check before indexing; Handle_0x27_SecurityAccess is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the <code>Handle_0x27_SecurityAccess()</code> function in <code>iso14229.c</code> that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte <code>0x27</code> SecurityAccess request that follows any earlier well-formed <code>0x27</code> message. The handler reads the SecurityAccess subFunction from <code>recv_buf[1]</code> without first checking that <code>recv_len</code> is at least 2, then computes the key-data length as the unsigned subtraction <code>(uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN)</code>; when <code>recv_len</code> equals 1 the result underflows to 65535 and is passed as <code>args.len</code> to the application's <code>SecAccessValidateKey</code> or <code>SecAccessRequestSeed</code> callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (<code>0x10</code>, <code>0x11</code>, <code>0x14</code>, <code>0x19</code>, <code>0x22</code>, <code>0x23</code>, <code>0x28</code>, and others) performs an explicit <code>recv_len</code> lower-bound check before indexing; <code>Handle_0x27_SecurityAccess</code> is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected.</p>"}]}], "references": [{"url": "https://github.com/driftregion/iso14229", "name": "driftregion/iso14229 - upstream repository", "tags": ["product"]}, {"url": "https://github.com/driftregion/iso14229/blob/main/iso14229.c#L1447", "name": "Vulnerable Handle_0x27_SecurityAccess() in iso14229.c", "tags": ["product"]}, {"url": "https://cwe.mitre.org/data/definitions/191.html", "name": "CWE-191: Integer Underflow (Wrap or Wraparound)", "tags": ["technical-description"]}, {"url": "https://cwe.mitre.org/data/definitions/125.html", "name": "CWE-125: Out-of-bounds Read", "tags": ["technical-description"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "A remote attacker on the same diagnostic transport (CAN/OBD-II/ISO-TP/DoIP) sends one well-formed SecurityAccess request followed by a single-byte 0x27 frame; the second frame triggers the integer underflow in Handle_0x27_SecurityAccess and the application's SecAccessValidateKey or SecAccessRequestSeed callback then reads up to 65535 bytes past the 4-KB receive buffer, crashing the UDS server process or the bare-metal ECU."}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "NOT_DEFINED", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/V:D"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"}}], "credits": [{"lang": "en", "value": "Burxonov Muslimbek", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}, "x_author": "Burxonov Muslimbek", "x_assigner_notes": "The missing recv_len lower-bound check was verified by direct source inspection of iso14229.c at the v0.9.0 release tag area and at main HEAD: Handle_0x27_SecurityAccess() begins at line 1447 with 'uint8_t subFunction = r->recv_buf[1];' and reaches the underflowing 'len = (uint16_t)(r->recv_len - UDS_0X27_REQ_BASE_LEN)' at lines 1473 and 1511 without any guard on recv_len. Every other sub-function handler in the same file (Handle_0x10 at L911, Handle_0x11 at L960, Handle_0x14 at L996, Handle_0x19 at L1038 with per-sub-function checks, Handle_0x23 at L1418, Handle_0x28 at L1534, and others) performs an explicit 'if (r->recv_len < UDS_0X<XX>_REQ_*_LEN) return NegativeResponse(...)' check before indexing recv_buf - 0x27 is the sole missing one. The recommended fix is the one-liner: 'if (r->recv_len < UDS_0X27_REQ_BASE_LEN) return NegativeResponse(r, UDS_NRC_IncorrectMessageLengthOrInvalidFormat);' at the top of the handler, matching the project's existing pattern. The vulnerability was disclosed to the upstream maintainer through a private GitHub security advisory on 2026-05-26. CVSS scoring matches the precedent set by CVE-2026-54412 (MQTT-C OOB read / integer underflow): VC:L for the bounded heap-byte disclosure, VA:H for the crash on resource-constrained embedded targets, AV:N because the same library is deployed behind DoIP-over-Ethernet diagnostic gateways. Downstream consumers using iso14229 strictly over physical CAN-only deployments may locally lower attackVector to ADJACENT when scoring their own environment."}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the Handle_0x27_SecurityAccess() function in iso14229.c that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte 0x27 SecurityAccess request that follows any earlier well-formed 0x27 message. The handler reads the SecurityAccess subFunction from recv_buf[1] without first checking that recv_len is at least 2, then computes the key-data length as the unsigned subtraction (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN); when recv_len equals 1 the result underflows to 65535 and is passed as args.len to the application's SecAccessValidateKey or SecAccessRequestSeed callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (0x10, 0x11, 0x14, 0x19, 0x22, 0x23, 0x28, and others) performs an explicit recv_len lower-bound check before indexing; Handle_0x27_SecurityAccess is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected."}], "id": "CVE-2026-54413", "lastModified": "2026-06-14T18:17:20.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:D/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}, "published": "2026-06-14T18:17:20.943", "references": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://cwe.mitre.org/data/definitions/125.html"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://cwe.mitre.org/data/definitions/191.html"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://github.com/driftregion/iso14229"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://github.com/driftregion/iso14229/blob/main/iso14229.c#L1447"}], "sourceIdentifier": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-191"}], "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}

{}

{"created": "2026-06-14T19:30:14.414179+00:00", "title": "Integer Underflow in ISO\u2011TP UDS SecurityAccess Handler Allows Crash and Potential Memory Disclosure", "updated": "2026-06-14T19:30:14.414201+00:00", "vendors": []}