Integer underflow vulnerability in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (2025-11-30) in SAE_J1939_Read_Transport_Protocol_Data_Transfer,allows attackers to write to arbitrary memory via crafted sequence number from the CAN frame.
An attacker sends a crafted CAN frame containing a maliciously constructed sequence number. During protocol processing, the SAE_J1939_Read_Transport_Protocol_Data_Transfer function performs an arithmetic operation that leads to integer underflow — an integer value drops below zero, causing incorrect index or size calculation. As a result, the library writes data to any memory address controlled by the attacker.
An attacker can overwrite any memory area of the process, which in practice can lead to arbitrary code execution (RCE), system takeover, or destabilization. The full impact includes loss of confidentiality, integrity, and availability (C:H/I:H/A:H).
Patches available from the manufacturer should be applied according to references. It is recommended to monitor the project repository (https://github.com/DanielMartensson/Open-SAE-J1939) and update to a version containing the fix after the indicated commit. Additionally, access to CAN interfaces should be restricted exclusively to trusted devices, and CAN frame filtering should be applied at the network/gateway level.
Open-SAE-J1939 in all versions up to and including commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (as of 2025-11-30)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H