HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-54413Published Modified CNA TuranSec

CVE-2026-54413: driftregion iso14229 through 0

driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the Handle_0x27_SecurityAccess() function in iso14229.c that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte 0x27 SecurityAccess request that follows any earlier well-formed 0x27 message. The handler reads the SecurityAccess subFunction from recv_buf[1] without first checking that recv_len is at least 2, then computes the key-data length as the unsigned subtraction (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN); when recv_len equals 1 the result underflows to 65535 and is passed as args.len to the application's SecAccessValidateKey or SecAccessRequestSeed callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (0x10, 0x11, 0x14, 0x19, 0x22, 0x23, 0x28, and others) performs an explicit recv_len lower-bound check before indexing; Handle_0x27_SecurityAccess is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected.

Metrics

CVSS v4.0
7.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An integer underflow and out-of-bounds read vulnerability exists in the Handle_0x27_SecurityAccess() function of driftregion iso14229 versions through 0.9.0. A remote, unauthenticated attacker can trigger the flaw by sending a single-byte 0x27 SecurityAccess request over any supported transport (CAN bus, OBD-II, ISO-TP, or DoIP); the length calculation underflows to 65535, causing the server to read up to 65535 bytes past the receive buffer or crash. No fix version has been published; HarborGuard tracks the upstream advisory and will make a patched rebuild available the moment a fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-54413 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle iso14229 as a library dependency. Any image found to include an affected version (iso14229 0.9.0 or earlier) is flagged immediately.

Available
Triage

Matched findings are scored at CVSS 7.8 HIGH and surfaced through each customer's compliance policy weighting, which can elevate or deprioritize the finding based on asset criticality and regulatory context. Triage notifications are routed to the team inbox or ticketing integration configured for the affected environment.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream project ships a corrected release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the UDS server over the network via CAN bus, OBD-II, ISO-TP, or DoIP transport; no local or physical access is required.

  • AuthenticationNot required

    The vulnerable handler is exposed in the default diagnostic session with no prior authentication needed; any unauthenticated sender can trigger the flaw.

  • Victim interactionNot required

    No user or operator action is required; sending a single malformed packet is sufficient to trigger the underflow.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: a single-byte 0x27 request deterministically triggers the underflow on any affected deployment without requiring race conditions or specific memory layout.

Blast Radius

  • Crashes the UDS server process, causing a denial of service for all diagnostic and control functions the server handles.
  • Reads up to 65535 bytes from memory beyond the 4 KB receive buffer, potentially exposing stack or heap contents such as cryptographic keys, session state, or calibration data stored near the buffer.
  • On automotive ECUs and industrial controllers, a server crash disrupts safety-critical diagnostic sessions and may prevent over-the-air updates or fault clearing until the device is restarted.

How HarborGuard Handles This

Available on HarborGuard: images containing iso14229 0.9.0 or earlier are detected and flagged at CVSS 7.8 HIGH as soon as the CVE is matched against a customer registry or pipeline scan. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression run and PR against affected workloads the moment the upstream project publishes a fix. While awaiting a patch, compensating controls available to consider include network-policy rules that restrict which sources can send 0x27 SecurityAccess frames to exposed UDS endpoints, egress filtering on DoIP and ISO-TP ports at the gateway level, and where the application permits it, gating the diagnostic session behind an authentication layer at the transport level to reduce unauthenticated exposure.

See how HarborGuard automates this
Affected packages
  • driftregion / iso14229
    ≤ 0.9.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/V:D
References